• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Hackers deploy fake SonicWall VPN App to steal corporate credentials

 | 

Mainline Health Systems data breach impacted over 100,000 individuals

 | 

Disrupting the operations of cryptocurrency mining botnets

 | 

Prometei botnet activity has surged since March 2025

 | 

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Iran confirmed it shut down internet to protect the country against cyberattacks

 | 

Godfather Android trojan uses virtualization to hijack banking and crypto apps

 | 

Cloudflare blocked record-breaking 7.3 Tbps DDoS attack against a hosting provider

 | 

Linux flaws chain allows Root access across major distributions

 | 

A ransomware attack pushed the German napkin firm Fasana into insolvency

 | 

Researchers discovered the largest data breach ever, exposing 16 billion login credentials

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Intelligence
  • Malware
  • Mobile
  • Experts link Hermit spyware to Italian surveillance firm RCS Lab and a front company

Experts link Hermit spyware to Italian surveillance firm RCS Lab and a front company

Pierluigi Paganini June 17, 2022

Experts uncovered an enterprise-grade surveillance malware dubbed Hermit used to target individuals in Kazakhstan, Syria, and Italy since 2019.

Lookout Threat Lab researchers uncovered enterprise-grade Android surveillance spyware, named Hermit, used by the government of Kazakhstan to track individuals within the country.

Hermit spyware

The latest samples of this spyware were detected by the researchers in April 2022, four months after a series of nation-wide protests against government policies that were violently suppressed.

According to Lookout, the Hermit spyware was likely developed by Italian surveillance vendor RCS Lab S.p.A and Tykelab Srl, the latter is a telecommunications solutions company suspected to be operating as a front company.

The researchers reported that they observed the use of the Hermit spyware in other circumstance. In 2019, the spyware was used by the Italian authorities in an anti-corruption operation, experts also uncovered an unknown actor that used the surveillance software in northeastern Syria. 

RCS Lab, a well known “lawful intercept” company that officially only sells its products to law enforcement and intelligence agencies.

Hermit is a sophisticated threat with a modular structure, it allows operators to take full control over the infected devices.

“We obtained and analyzed 16 of the 25 known modules, each with unique capabilities. These modules, along with the permissions the core apps have, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.” reads the analysis published by Lookout.

“We theorize that the spyware is distributed via SMS messages pretending to come from a legitimate source. The malware samples analyzed impersonated the applications of telecommunications companies or smartphone manufacturers. Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background.”

The experts also added that all the samples they analyzed are Android versions of the spyware, however, they are aware of an iOS version of spyware.

The malware is likely distributed via SMS messages that trick victims into installing apps masquerading as Samsung, Vivo, and Oppo apps. Upon opening the apps, the website of the impersonated company is opened, while the infection process starts in the background.

The report published by Lookout states that RCS Lab also has past dealings with the Syrian authoritarian regime, as part of its collaboration with Berlin-based Advanced German Technology (AGT) to sell surveillance solutions.

According to leaked documents published in WikiLeaks in 2015, RCS Lab was a reseller of the notorious Italian surveillance firm HackingTeam. RCS Lab was providing its software to military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar and Turkmenistan.

“According to its own website, Tykelab provides innocuous technology solutions. However, we found various publicly-available clues that suggest otherwise. In addition to the Italian parliamentary document, we found several pieces of evidence tying Tykelab to RCS Lab.” continues the report. “For example, a current Tykelab employee’s LinkedIn profile indicates that they also work at RCS Lab. In addition, the company offers services that require skills that may be useful in the development and delivery of surveillanceware, such as knowledge or interaction with telecommunications networks, social media analysis, SMS services and mobile app development. One of the Tykelab job postings for a security engineer we found spells out desired skills that would have direct application to surveillance of mobile networks and devices.”

The researchers also provided further evidence that links Tykelab to Hermit and RCS, they also published Indicators of Compromise for this threat.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Hermit spyware)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

hacking news Hermit information security news IT Information Security malware RCS Security Affairs Security News spyware

you might also like

Pierluigi Paganini June 25, 2025
Hackers deploy fake SonicWall VPN App to steal corporate credentials
Read more
Pierluigi Paganini June 25, 2025
Mainline Health Systems data breach impacted over 100,000 individuals
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Hackers deploy fake SonicWall VPN App to steal corporate credentials

    Hacking / June 25, 2025

    Mainline Health Systems data breach impacted over 100,000 individuals

    Data Breach / June 25, 2025

    Disrupting the operations of cryptocurrency mining botnets

    Malware / June 25, 2025

    Prometei botnet activity has surged since March 2025

    Cyber Crime / June 25, 2025

    The U.S. House banned WhatsApp on government devices due to security concerns

    Mobile / June 24, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT