Hermit¶
Hermit is a modular commercial spyware developed by Italian firm RCS Lab S.p.A. and distributed through ISP-level network injection. Its defining operational characteristic: the target's mobile data connection is disabled (with ISP cooperation), then an SMS is sent with a link to download an app that will supposedly "restore" connectivity. The target installs what appears to be a carrier support app but is actually the Hermit implant. This ISP-assisted delivery model was first documented in Italy and Kazakhstan. Hermit's modular architecture downloads individual surveillance capabilities as separate modules from C2 after initial installation, reducing the implant's static footprint.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2019 (estimated), publicly documented June 2022 |
| Status | Active |
| Type | Commercial spyware (government-exclusive) |
| Attribution | RCS Lab S.p.A. (Milan, Italy), with Tykelab Srl suspected as a front company |
| Aliases | None widely used |
| Platforms | Android (primary), iOS |
Origin and Lineage¶
RCS Lab S.p.A. has operated since 1993, initially providing lawful intercept solutions to Italian law enforcement. The company transitioned into offensive mobile surveillance tools, positioning itself in the same market as NSO Group and FinFisher but with a lower profile.
Lookout first published their discovery of Hermit in June 2022, identifying the implant through samples that impersonated telecommunications apps. Google TAG subsequently published a companion analysis confirming the ISP-assisted delivery mechanism and attributing the spyware to RCS Lab.
Lookout linked RCS Lab to a suspected front company called Tykelab Srl, a telecommunications solutions company headquartered in the same Italian cities (Milan and Rome). The connection was established through shared SSL certificates on C2 infrastructure: one IP used for Hermit C2 had an SSL certificate shared with another IP whose certificate directly named "RCS" as the organization and "Tykelab" as the organizational unit.
Distribution¶
Hermit's ISP-assisted delivery is its most distinctive feature and represents a capability that requires government-level access to telecommunications infrastructure.
ISP-Level Network Injection¶
The attack flow, as documented by Google TAG:
- The operator (with ISP cooperation) disables the target's mobile data connection
- The target receives an SMS message appearing to come from their mobile carrier
- The message claims there is a connectivity issue and provides a link to download an app that will "fix" the problem
- The target, unable to use mobile data and believing the carrier is helping, downloads and installs the APK
- The app, branded as the carrier's support tool, is actually the Hermit implant
- Mobile data is restored, reinforcing the belief that the app worked
This delivery method exploits a realistic scenario: users experiencing connectivity issues naturally trust messages from their carrier. The ISP's involvement makes the pretext convincing, because the connectivity problem is real.
App Impersonation¶
Hermit samples analyzed by Lookout impersonated applications from:
| Impersonated Entity | Country |
|---|---|
| Samsung | Generic |
| Vivo | Generic |
| Oppo | Generic |
| Mobile carrier apps (specific to target ISP) | Italy, Kazakhstan |
Each sample uses the legitimate branding and UI of the impersonated company, including icons, splash screens, and app names.
Capabilities¶
Core Implant¶
The initial Hermit APK is relatively lightweight. It establishes persistence and C2 communication, then downloads surveillance modules on demand.
| Core Capability | Implementation |
|---|---|
| Persistence | Registers as device administrator, uses alarm-based scheduling to maintain execution |
| C2 communication | HTTPS with certificate pinning to C2 servers |
| Module loading | Downloads additional modules as DEX files or native libraries from C2 |
| Root exploitation | Attempts to gain root privileges using known Android exploits |
| Firebase integration | Uses Google Firebase for some C2 coordination (Google revoked Hermit's Firebase account upon discovery) |
Downloadable Modules¶
Each surveillance capability is implemented as a separate module downloaded post-installation. Lookout documented the following modules:
| Module | Function |
|---|---|
| Camera | Capture photos and video from front and rear cameras |
| Microphone | Record ambient audio |
| Call recording | Record voice calls |
| Contacts | Exfiltrate contact list |
| SMS | Read and exfiltrate SMS messages |
| Location | GPS tracking and cell tower positioning |
| Photos | Access and exfiltrate photo library |
| Read email from device accounts | |
| Calendar | Exfiltrate calendar events |
| Browser | Extract bookmarks, history, and search data |
| Clipboard | Monitor and capture clipboard contents |
| File manager | Browse and exfiltrate files from device storage |
| App list | Enumerate installed applications |
| Call log | Extract call history |
| Notifications | Intercept and read notifications |
| Audio recording | Record calls and VoIP conversations |
| Screen | Capture screenshots |
The modular design means the initial implant has a small static footprint, making it harder to detect through signature-based scanning. Modules are only downloaded when the operator tasks a specific capability, so a device compromised for contact exfiltration may never receive the camera module.
iOS Variant¶
Google TAG documented an iOS variant that abused Apple enterprise certificates to sideload outside the App Store. The iOS version included six exploits (four known, two zero-day at the time of discovery): CVE-2021-30883 and CVE-2021-30983 were the zero-days, both iOS kernel vulnerabilities. Apple subsequently revoked the abused enterprise certificates.
Technical Details¶
Exploit Chains¶
Google TAG noted that RCS Lab's Android implant requests permissions that grant access to SMS, camera, microphone, and other sensitive data. When installed on a device where the user grants these permissions, no exploit is strictly necessary. For deeper access (root), the implant bundles known Android kernel exploits.
On iOS, the exploit chain includes:
| CVE | Type | Notes |
|---|---|---|
| CVE-2021-30883 | Kernel (IOMobileFrameBuffer) | 0-day at time of use |
| CVE-2021-30983 | Kernel | 0-day at time of use, analyzed by Google Project Zero |
Persistence¶
The Android implant achieves persistence through multiple mechanisms:
- Device administrator registration
RECEIVE_BOOT_COMPLETEDbroadcast receiver to restart on boot- Alarm-based scheduling to periodically check C2 for commands
- Foreground service with persistent notification (sometimes disguised as a system notification)
C2 Infrastructure¶
Hermit C2 servers use HTTPS with specific TLS certificate patterns that enabled Lookout and Google TAG to fingerprint and map the infrastructure. The C2 protocol supports:
- Module download and installation
- Tasking (which modules to activate, what data to collect)
- Data exfiltration (encrypted uploads over HTTPS)
- Implant updates and reconfiguration
Anti-Analysis¶
Compared to FinSpy's extensive obfuscation, Hermit's anti-analysis techniques are relatively conventional:
- String encryption
- Dynamic module loading (reduces static analysis surface)
- Certificate pinning on C2 connections
- Self-removal capability if analysis environment detected
Known Deployments and Targets¶
| Country | Context | Year | Source |
|---|---|---|---|
| Italy | Used in an anti-corruption operation by Italian authorities | 2019 | Lookout |
| Kazakhstan | Government deployment against domestic targets, with ISP cooperation from Kazakh telecom providers | 2022 | Lookout, Google TAG |
| Syria | Northern Syria deployment, likely by a government actor | Unknown | Lookout |
The Kazakhstan deployment drew the most attention because it involved a government deploying commercial spyware against its own citizens with ISP-level cooperation, during a period of domestic political unrest.
Notable Campaigns and Discoveries¶
2019: Hermit is reportedly used in Italy as part of a law enforcement anti-corruption operation. Lookout later identifies samples from this period.
April 2022: Lookout detects new Hermit samples in the wild and begins analysis.
June 16, 2022: Lookout publishes "Hermit: Italian Spyware Discovered", documenting the modular architecture, ISP-assisted delivery, and linking the spyware to RCS Lab and Tykelab through infrastructure analysis.
June 23, 2022: Google TAG publishes their analysis, confirming Lookout's findings and adding detail on the ISP injection mechanism. TAG notes that ISPs disabled target mobile data connectivity before sending the malicious SMS. Google begins notifying affected Android users and revokes Hermit's Firebase account. Apple revokes the abused enterprise certificates for the iOS variant.
June 2022: Google updates Play Protect to block Hermit from executing on Android devices.
2022-present: Google TAG includes RCS Lab in their broader reporting on commercial surveillance vendors (CSVs), warning that companies like RCS Lab are stockpiling zero-day vulnerabilities. TAG's 2024 reporting notes that CSVs were responsible for 20 out of 25 zero-days discovered being exploited in the wild in 2023.