Google warns Android users that ISPs spread ‘Hermit’ spyware


Authorities claim to have used the spyware to target people in Kazakhstan, Syria, and Italy.

What you must understand

  • According to Google’s security researchers, certain internet service providers assisted hackers in launching a spyware campaign.
  • Through malicious downloads, the “Hermit” spyware has targeted Android and iOS users in Kazakhstan and Italy.
  • The spyware, according to Google, was never added to the Play Store.

A spyware operation purportedly employed by governments to steal private information from individuals in Kazakhstan and Italy was the subject of research revealed a few weeks ago by end-point security provider Lookout(opens in new tab). Google has since confirmed that information and alerted Android users to the “Hermit” spyware.

Google’s Threat Analysis Group (TAG) (opens in new tab) claims that governments and internet service providers (ISPs) in many nations worked together to distribute the spyware. Both Android and iOS devices may be susceptible to infection by the malware.


Hermit is made to trick unwary users into downloading harmful programs. This happens after ISPs cut off the victims’ data connections in cooperation with the attackers and then send them an SMS warning them that their connection will only be restored if they download an app.

If this strategy doesn’t work, the attackers will pose as a trustworthy service, like a messaging app or mobile provider, to conceal the malware. Hermit will then download modules from a command and control server after being installed in a mobile device in order to gain more functionality.

Hermit is now able to see the users’ phone history, whereabouts, photographs, and text messages. Additionally, the spyware may reroute calls, record audio, root Android devices, and give attackers total access.


RCS Labs, an Italian software firm, was identified by Lookout as the threat. However, the company asserts on its website that it exclusively offers technological assistance to government organizations engaged in legal interceptions.

However, Lookout claims that the software company from Italy is comparable to NSO Group, which is well-known for its Pegasus spyware. Because it has been used to spy on journalists, activists, and politicians via remote zero-click smartphone surveillance, that application may seem familiar.

The request for comment from Android Central was not immediately answered by RCS Labs. However, it said in a statement to TechCrunch(opens in new tab) that its goods abide by “both national and European standards and regulations.”


The company stated that “any sales or deployment of items is only undertaken after having an official authorization from the competent authorities.” “Our items are delivered and installed at authorized customers’ locations.”

Lookout researchers have located victims in northern Syria, Italy, and Kazakhstan. Although it does not say how many users were impacted, Google has pledged to inform consumers in these nations.

Apps infected with Hermit, according to Lookout and Google’s TAG, never made it to the Google Play or Apple App Store. A new Google Play Protect upgrade has also been made available by the search engine giant to improve security on all Android phones.


Leave a Comment