Home > Tech > Antivirus

What is Hermit spyware and how do you protect yourself from it?

It's pretty bad, but there are things you can do for protection.
By Stan Schroeder  on 
Share on Facebook Share on Twitter Share on Flipboard
An illustration/photo composite showing hand holding a phone with a letter logo on a fishing hook, with a pattern of locks in the background.
This attack could harvest files from your device, and worse. Credit: Sarayut Thaneerat / Getty Images

A few days ago, articles (including ours) about the Hermit spyware appeared to pique reader interest.

Described in detail by Google's Threat Analysis Group (TAG), the Hermit spyware (it was dubbed Hermit by security firm Lookout, which first reported its discovery) is part of a dangerous and sophisticated malware attack that's actively being used in the wild. Attackers are using zero-day vulnerabilities (meaning those that haven't yet been patched) and other dangerous exploits in Android and iOS code to deploy malware that can take control over someone's iOS or Android device.

Most news outlets focused on the "news" portion of the story. But as we've seen from this Reddit thread, what users really want to know (and rightfully so) is how, exactly, you can protect yourself from this menace, how you can know whether your device has been infected, and if it has, how to get rid of the spyware.

We've got some good news and some bad news.

The attack

The bad news is that, when performed properly, this is a highly sophisticated attack that could fool nearly anyone. One tactic that the attackers have employed, per TAG, is to work with the target's ISP to disable the target's mobile data connectivity and send them a malicious link via SMS to recover connectivity — and install the malware.

It's unclear whether the attackers actually got the ISPs to participate in the attack, or whether they had an insider who could perform these actions for them, but the result is chillingly dangerous. Imagine your phone losing mobile data connectivity and then immediately getting a message from your vendor saying, "Yeah, we know your phone's data connectivity doesn't work, here's a link to fix it." Unless you're aware of this particular attack, you'd probably click on it without much hesitation.

SEE ALSO: Google warns of 'hermit spyware' infecting Android and iOS devices

Another tactic was to send links to convincing, rogue versions of popular apps such as Facebook and Instagram which, again, resulted in the target's phone being infected.

malware
An example of a prompt for the target to install malware apps. Credit: Google TAG

On Apple devices, attackers used flaws in the company's protocols to distribute apps that can bypass the App Store but be subject to the same security enforcement mechanisms. In other words, these rogue applications were able to run on iOS devices without the system seeing anything unusual about them. One such app, according to TAG's analysis, contained security flaws which can be used by six different exploits, and they were able to send interesting files from the device, like a WhatsApp database, to a third party.

Mashable Light Speed
Want more out-of-this world tech, space and science stories?
Sign up for Mashable's weekly Light Speed newsletter.
By signing up you agree to our Terms of Use and Privacy Policy.
Thanks for signing up!

TAG doesn't provide much info on what happens when a target's device gets infected. But here's more bad news: If an attacker has access to resources to perform this type of attack, they can probably deploy malware that's hard or impossible to detect or remove. And it could be (almost) anything: software that eavesdrops on your phone conversations, reads your messages, accesses your camera, you name it. Anti-malware software might be able to detect some of it or at least notify you that something's wrong, but you should primarily be concerned with protecting your device from getting infected in the first place.

But why did the attacks happen?

According to TAG, these attacks and malware are used by RCS Lab, an Italian company that says it works with governments (its tagline is that they "provide technological solutions and give technical support to the Lawful Enforcement Agencies worldwide.") In a statement to TechCrunch, the company said it "exports its products in compliance with both national and European rules and regulations" and that "any sales or implementation of products is performed only after receiving an official authorization from the competent authorities."

These types of attacks should, in theory, be fairly limited towards very specific targets, such as journalists, activists, and politicians. TAG has only seen them in action in two countries, Italy and Kazakhstan (Lookout also adds Syria to that list). Obviously, this is pretty horrible — governments buying spyware from shady vendors and then deploying it to target someone they deem their enemy — but that's the world we're living in.

It's not just RCS Lab and Hermit. TAG says it's tracking more than 30 vendors that sell "exploits or surveillance capabilities to government-backed actors." These vendors include companies like North Macedonia's Cytrox and its ALIEN/PREDATOR spyware, and Israel's NSO Group, known for its Pegasus spyware.

Related Stories

The good news, if you can call it that, is that these types of attacks aren't likely to spread massively onto devices of hundreds of millions of users. The people using these tools aren't building a spambot network, they're targeting specific individuals. But it's still important for everyone to know how to protect from sophisticated attacks like these, as you never know when you might become the "specific individual" on some "lawful enforcement agency's" list.

How do you protect yourself from malware attacks like these?

A typical line you'll get from security experts is to never, ever install anything from a party you don't trust, or click on a link coming from someone you don't know. That's a bit harder to implement when your ISP is in on the scam and it's sending you links to "fix" your data connectivity. The rule of thumb still applies: If something feels off, double check it. If you're unsure whether a link or an app is legit, don't click on it, even if it comes from Google, Facebook, Apple, your ISP, even a relative. And always keep your device's software up to date.

TAG also highlights an important fact: None of the malware apps that were used to deploy Hermit were available in Apple's App Store or Google's Play Store (the hackers used various tactics to sideline official stores). While installing apps only from official app stores doesn't offer 100 percent protection from malware, it's definitely good security practice.

Also, TAG says that Google has taken steps to protect users who have been directly affected by Hermit, including warning all Android victims, and implementing fixes to thwart the attacks. Apple told TechCrunch it has revoked all known accounts and certificates associated with Hermit.

If you want to take it a few steps further, security firm Kaspersky has a list of actions you can take to protect yourself from sophisticated spyware, and it includes daily reboots, disabling iMessage and FaceTime, and using an alternative browser to browse the internet, instead of the popular Chrome or Safari.

Topics Android Cybersecurity iOS

Stan Schroeder
Stan Schroeder
Senior Editor

Stan is a Senior Editor at Mashable, where he has worked since 2007. He's got more battery-powered gadgets and band t-shirts than you. He writes about the next groundbreaking thing. Typically, this is a phone, a coin, or a car. His ultimate goal is to know something about everything.

Recommended For You
iOS 18: Everything single thing we know so far
By Alex Perry and Kimberly Gedeon
Visual interpretation of iOS 18
Google updated its 'Find My Device' Android network: 5 new things it can do
By Matt Binder
Android logo on smartphone
iPhone password reset attacks are real – how to protect yourself
By Matt Binder
iPhone 14
iOS 17.5 beta 2 is here: 5 new features on your iPhone
By Kimberly Gedeon
iOS 17 photo illustration
Google agrees to delete billions of Incognito mode data records
By Meera Navlakha
A pattern of Google Incognito mode icons.
More in Tech
How to watch NBA live streams online for free
By Joseph Green
Giannis Antetokounmpo of the Milwaukee Bucks dunks
How to watch Sunriders Hyderabad vs. Royal Challengers Bengaluru online for free
By Lois Mackenzie
Sunrisers Hyderabad's Washington Sundar celebrating with team mates
How to watch Sydney Sweeney in 'Immaculate' at home: When is it streaming?
By Christina Buff
Sydney Sweeney in 'Immaculate' movie
How to watch Delhi Capitals vs. Gujarat Titans online for free
By Lois Mackenzie
Delhi Capitals' Mukesh Kuma and teammates
Grab 'Star Wars Jedi: Fallen Order' for $5 at PlayStation ahead of May the 4th
By Leah Stodart
Screen grab from gameplay of "Star Wars Jedi: Fallen Order" video game featuring main character holding lightsaber looking at scenic view
Trending on Mashable
NYT Connections today: See hints and answers for April 25
By Mashable Team
A phone displaying the New York Times game 'Connections.'
Wordle today: Here's the answer and hints for April 25
By Mashable Team
a phone displaying Wordle
NYT's The Mini crossword answers for April 25
By Mashable Team
Closeup view of crossword puzzle clues
NYT Connections today: See hints and answers for April 24
By Mashable Team
A phone displaying the New York Times game 'Connections.'
New vivid images show why this is dubbed Mars' 'Inca City'
By Elisha Sauers
German space agency camera photographing Mars' formation
The biggest stories of the day delivered to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up. See you at your inbox!