An alleged Italian-made Hermit Android spyware has been observed by researchers in Kazakhstan, where the government utilised it to monitor its citizens’ activities. Experts assumed that the spyware was developed by a couple of Italian firms named Tykelab Srl and RCS Lab S.p.A.
Moreover, a researcher said that an entity owned by the national government of Kazakhstan seems to operate the Hermit Spyware’s deployment. They first discovered Hermit samples from some identified campaigns last month.
The spyware posed as an Oppo service – coded as oppo[.]service. Oppo is an electronic manufacturer in China that is being distributed worldwide.
The actor’s website hides the spyware’s activity in a legitimate Oppo support page written in a Kazakhstani language. Other samples of the spyware impersonate Vivo and Samsung. As of writing this article, the support page of the spyware-laden website is offline.
The two Italian companies that created the Hermit Android spyware may have been working on other projects.
A separate researcher has uncovered new evidence that connects the RCS Lab to Tykelab aside from developing the Hermit Android spyware. For example, a particular Tykelab staff’s LinkedIn profile portrayed that it is working at an RCS Lab.
Another is that one job posting for vacant security of the Tykelab stated that their preferred skills should directly apply to surveillance of devices and mobile networks. Researchers uncovered one of the IP addresses utilised for command-and-control in Hermit to be an SSL certificate. In separate research, one RCS Lab’s headquarters holds the mentioned certificate in Milan, proving that the spyware was created in Italy.
Another IP address also uses an SSL certificate called RCS as the organisation and Tykelab as the unit. The Tykelab is in Rome, where it also holds the same certificate.
Today, mobile phones have been the most attractive target for surveillance or spyware as they have become storage for multiple credentials and several types of essential information. Therefore, all smartphone users should be wary of fraudulent websites and not download unknown apps found on unreliable sources.
