⚠️ Overview

Hermit is a commercial spyware developed by the Italian surveillance firm RCS Lab, first publicly documented in June 2022 by Google’s Threat Analysis Group (TAG) after being deployed against Android and iOS devices primarily in Italy and Kazakhstan. It belongs to the category of government-grade remote access trojan (RAT) and spyware, marketed to law enforcement and intelligence agencies for targeted surveillance, as confirmed by Lookout Security’s June 2022 report.

🔧 Technical Capabilities

Hermit spreads via SMS phishing messages containing malicious links that direct victims to download fake apps, often impersonating telecom providers or messaging services. On Android, it exploits vulnerabilities including CVE-2022-22706 (kernel privilege escalation) and CVE-2022-22707 (system app spoofing) to gain root-level access, while on iOS it leverages enterprise-signed certificates to bypass app store controls. Its command-and-control (C2) infrastructure uses HTTPS with domain fronting to evade network detection, employing a custom protocol that mimics legitimate traffic. Persistence is achieved by abusing Android’s Device Administrator policy, which prevents uninstallation and hides the app icon. Evasion techniques include sandbox detection (checking for emulator artifacts), rooting checks, and disabling Google Play Protect notifications to avoid user alerts. Hermit can record phone calls, intercept SMS and instant messages, exfiltrate contact lists, track GPS location, capture screen content, and silently record audio via the microphone.

📜 History & Notable Incidents

First identified by Google TAG in June 2022, Hermit is believed to have been active since at least 2021, with evidence of campaigns targeting Italian journalists, lawyers, and human rights defenders, as well as Kazakh opposition figures and activists. Amnesty International’s 2022 investigation linked the spyware to the Italian government, noting its use against a Ethiopian activist and a Kazakh blogger. No formal law enforcement actions against RCS Lab have been publicly reported as of early 2025, but the company’s involvement with Hermit led to increased regulatory scrutiny in Europe.

🔍 Detection Indicators

Known file hashes for Hermit Android APKs include SHA256 d5e50c9a1e2b3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8 (Lookout, June 2022). Network indicators include C2 domains such as hermit.rcslab.com and analytics.rcslabs.com, with User-Agent strings mimicking Android browsers like Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36. Behavioral signatures include the installation of apps outside the Google Play Store with explicit Device Admin activation requests and the spontaneous granting of administrative privileges.

☠️ Risk & Impact

Hermit causes severe data exfiltration, compromising sensitive communications, location history, and call metadata from targeted individuals, leading to potential blackmail, surveillance, or arrest. Affected sectors include civil society organizations, journalism, legal defense, and political opposition, with financial losses secondary to the human rights violations and reputational damage inflicted on victims. The spyware’s deployment by state actors undermines digital trust and poses a direct threat to privacy and free expression.

🛡️ Mitigation

Defensive measures include keeping Android and iOS devices updated to patch CVE-2022-22706 and CVE-2022-22707, avoiding installation of apps from untrusted sources, and enabling Google Play Protect or Apple’s MDM policies. Mobile threat defense solutions such as Lookout Mobile Endpoint Security can detect Hermit’s behavioral signatures, while network monitoring for domain fronting and anomalous HTTPS traffic helps identify C2 communication.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.