Hermit
Hermit is an enterprise-grade mobile spyware platform attributed by Google Threat Analysis Group and Lookout Threat Lab to the Italian surveillance vendor RCS Lab, with reporting also linking related activity to Tykelab. It targets both Android and iOS devices and has been described as a lawful-intercept style phone-hacking tool used by government customers. Reported targeting included high-profile individuals such as business executives, human rights activists, journalists, academics, and government officials, with observed activity including Kazakhstan and Romania.
Delivery observed by researchers relied on malicious links and social-engineering lures. In some cases, attackers reportedly worked with a target’s ISP to disable mobile data connectivity and then sent SMS messages directing the victim to install an application to restore service. Hermit apps commonly masqueraded as mobile carrier applications, and when ISP assistance was not available they also masqueraded as messaging applications. Researchers also identified fake domains and web pages impersonating Apple, Facebook, and telecom providers used to lure targets. On iOS, operators reportedly abused Apple’s Developer Enterprise Program so infected apps could satisfy code-signing requirements and bypass normal App Store vetting.
Once installed, Hermit can remotely activate a phone’s microphone, record calls, and access messages, call logs, contacts, photos, and other sensitive data. Reporting also states it can remotely access messages and other device data and function as a powerful surveillance implant.
High-confidence associations in the source material tie Hermit to RCS Lab, including Google and Lookout attribution, and note that RCS Lab engaged with military and intelligence customers in multiple countries. Additional reporting states RCS Lab registered fake lure domains as early as 2015, suggesting years of operational activity. One source also notes that RCS Lab acted as a reseller for Hermit on behalf of Hacking Team/Memento Labs.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
At the same time, Tykelab’s parent company, RCS Lab, has developed a powerful phone hacking tool, Hermit, which once installed on a victim’s device can be used to remotely activate the phone’s microphone, as well as record calls, access messages, call logs, contacts, photos and other sensitive data.
Its surveillance products include Hermit, a phone-hacking tool that once installed on a device can be used to record calls and remotely access messages, call logs, contacts, photos, and other sensitive data.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniques
Resource Development
Initial Access
3 techniques
Initial Access
These products, often referred to as spyware, range from software and tools that enable remote access to a computer system without the consent of the user, administrator, or owner of the computer system.
Execution
3 techniques
Execution
With system access, intermediaries are able to collect, exploit, extract, intercept, retrieve, alter, delete, or transmit content.
Intermediaries are fundamentally different than other entities that operate within the marketplace for OCC. Intermediaries are largely found as partners within the OCC supply chain, complimenting product development through vulnerability research to complete exploit chains or as auxiliary support during technology deployment.
Stealth
1 technique
Stealth
Defense Impairment
1 technique
Defense Impairment
Attackers were able to distribute infected apps on iOS by enrolling in Apple’s Developer Enterprise Program. This allowed bad actors to bypass the App Store’s standard vetting process and obtain a certificate that 'satisfies all of the iOS code signing requirements on any iOS devices.'
Credential Access
1 technique
Credential Access
Collection
3 techniques
Collection
Hermit, which once installed on a victim’s device can be used to remotely activate the phone’s microphone, as well as record calls, access messages, call logs, contacts, photos and other sensitive data.
Command and Control
1 technique
Command and Control
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Spyware sold via resellers on behalf of Hacking Team/Memento Labs.
Commercial spyware for Android and iPhone devices that enables remote surveillance, including microphone activation, call recording, and access to messages, call logs, contacts, photos, and other sensitive data.
An Android mobile spyware family previously unattributed and later linked to RCS Lab.
Spyware attributed to RCS Lab that was observed active in Kazakhstan, indicating deployment for surveillance in authoritarian contexts.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.