Android spyware developed by RCS Labs, a company in the same market as infamous Pegasus Spyware developer NSO Group, was discovered in Kazakhstan just months after anti-government protests were met with violence.
Security researchers with Lookout Threat Lab did not specify the specific targets of the Android spyware, but have raised concerns based on its timing and the fact that a threat actor appears to have deployed it in Syria in opposition to Syrian forces.
“Enterprise-grade” Android spyware created by “legal intercept” company
The Lookout researchers indicate that there proof to suggest that the national government of Kazakhstan has deployed the Android spyware within its borders. This follows a prolonged period of unrest in the country dating back to January 2022, when citizens took to the streets in protest at a sharp and sudden rise in gas prices due to a change in government policy. Protests quickly spread across the country and some escalated into riots, leading to a government declaration of a state of emergency and authorization for the president to use deadly force. About a week of violence resulted in 227 deaths and more than 9,000 arrests.
The Android spyware samples were picked up by Lookout in April. The spyware, called Hermit, was developed by an Italian company called RCS Lab SpA which is in the same “legal interception” market as NSO Group. As with NSO’s Pegasus product, the company advertises that it only supplies law enforcement agencies from countries that have no records of human rights violations. And like Pegasus, it’s popped up in multiple places that don’t fit this description.
Lookout has recorded previous cases of Hermit being used in Italy in 2019 as part of an anti-corruption operation, and in the conflict-ravaged northeastern region of Syria. The Android spyware isn’t as prolific or powerful as Pegasus; it does not use “zero click” techniques, but spreads via SMS because it masquerades as communications from legitimate brands and loads malware-ridden clones from their official websites. Once installed, Hermit has 25 separate modules with different capabilities: logging all kinds of data from the phone, recording audio from phone calls, and diverting phone calls. The operator can freely choose from these modules.
There’s also reportedly an iOS version of Hermit, but the Lookout researchers haven’t been able to get a sample of it. This is the first time a specific customer has been linked to RCS Labs’ Android spyware, but the company’s general regional transactions are known through document leaks.
National government of Kazakhstan linked to Android spyware
Hermit’s deployment has been linked to the government of Kazakhstan through the unmasking of the real IP address of one of its command and control servers, which is located in the country’s capital, Nur-Sultan. The attacker tried to disguise the traffic as the property of several technology companies: Samsung, Vivo and the Chinese electronics manufacturer Oppo.
RCS Lab has been very quiet about who it does business with, but WikiLeaks releases from 2015 indicate it has supplied Android spyware to authoritarian governments in Myanmar, Vietnam, and Turkmenistan, among others. It also has previous ties to Syria through a Berlin company called Advanced German Technology that it partnered with to sell surveillance products.
The company appears to have been doing business in Syria with opponents of the Syrian Democratic Forces (SDF), the Kurdish-led coalition that seeks a democratic government and is backed by Western powers. The SDF was key in repelling ISIS from the country. In this case, whoever the customer was used a domain that spoofed the Rojava network to pass the Android spyware. The Rojava Network has a Facebook and Twitter presence that posts news and political analysis from a perspective that supports the SDF. The SDF continues to campaign against a collection of Islamist and Arab nationalist forces in the region, largely backed by Turkey.
The incident once again brings into focus the murky world of “law enforcement surveillanceware”, an industry in which NSO Group and Pegasus are both the most well-known names and the most “legitimate” products, despite a growing record of use for repressive and invasive purposes. NSO Group has faced mounting financial difficulties since a deluge of these reports began with the 2021 “Pegasus Project” founded by Amnesty International and an assortment of major international news agencies. The company has recently put forward two ideas for its survival, neither particularly appealing: it has talked about openly selling its iOS and Android spyware to more “dubious” customers, or selling the entire operation. to US defense contractor L3Harris (manufacturer of Stingray trackers for cell phones). The latter possibility has some feared that Pegasus could be widely adopted by U.S. law enforcement if provided with that layer of legitimacy.