Is Hermit Mobile Malware On Your Android Device?

Google's Threat Analysis Group published their findings on a new campaign leveraging the Hermit mobile malware. Hermit is a piece of mobile malware with significant spying capabilities that was previously associated with use by governments, with reports dating back to April 2022 of the Kazakhstan government using Hermit in the wake of suppressed protests against the country's government.

Google's TAG now highlights Hermit's use by "commercial surveillance vendors", and thinks the Internet is a "less safe" space overall because of this proliferation of tools previously associated with government backing and expertise.

The new campaigns using Hermit use a link that is unique for each target. Once the victim receives the link and taps it, they are prompted to install a malicious app that can deploy on both Android and iOS devices.

Google's TAG went so far as to say they believe the threat actor using Hermit in those attacks worked "with the target's ISP" and disabled the victim device's mobile data. The SMS with the malicious link claims that it contains an application that will restore the lost data connectivity. In the instances where disabling mobile data was not possible and the ISP was not involved, TAG states, the malicious applications were dressed up as messaging apps.

The iOS version uses a certificate from an entity called "3-1 Mobile SRL". This company is registered under the Apple Developer Enterprise Program, which allows the malware to install.

The Hermit malware can download different modules from its C2 servers, including audio recording, call logging, media exfiltration and location tracking modules.