Lookout Uncovers Android Spyware Deployed in KazakhstanDownload Case Study
Lookout Threat Lab researchers have uncovered enterprise-grade Android surveillanceware used by the government of Kazakhstan within its borders. While we’ve been following this threat for a while using Lookout Endpoint Detection and Response (EDR) these latest samples were detected in April 2022, four months after nation-wide protests against government policies were violently suppressed.
Based on our analysis, the spyware, which we named “Hermit,” is likely developed by Italian spyware vendor RCS Lab S.p.A and Tykelab Srl, a telecommunications solutions company we suspect to be operating as a front company.
This isn't the first time Hermit has been deployed. We know that the Italian authorities used it in an anti-corruption operation in 2019. We also found evidence suggesting that an unknown actor used it in northeastern Syria, a predominantly Kurdish region that has been the setting of numerous regional conflicts.
While some Hermit samples have been detected before and are broadly recognized as generic spyware, the connections we make in this blog to developers, campaigns and operators are new.
RCS Lab, a known developer that has been active for over three decades, operates in the same market as Pegasus developer NSO Group Technologies and Gamma Group, which created FinFisher. Collectively branded as “lawful intercept” companies, they claim to only sell to customers with legitimate use for surveillanceware, such as intelligence and law enforcement agencies. In reality, such tools have often been abused under the guise of national security to spy on business executives, human rights activists, journalists, academics and government officials.
What is Hermit?
Named after a distinct server path used by the attacker’s command and control (C2), Hermit is a modular surveillanceware that hides its malicious capabilities in packages downloaded after it’s deployed.
We obtained and analyzed 16 of the 25 known modules, each with unique capabilities. These modules, along with the permissions the core apps have, enable Hermit to exploit a rooted device, record audio and make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages.
We theorize that the spyware is distributed via SMS messages pretending to come from a legitimate source. The malware samples analyzed impersonated the applications of telecommunications companies or smartphone manufacturers. Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background.
We’re aware of an iOS version of Hermit but were unable to obtain a sample for analysis.
Our analysis suggests that Hermit has not only been deployed to Kazakhstan, but that an entity of the national government is likely behind the campaign. To our knowledge, this marks the first time that a current customer of RCS Lab’s mobile malware has been identified.
We first detected samples from this campaign in April 2022. They were titled “oppo.service” and impersonated Chinese electronic manufacturer Oppo. The website the malware used to mask its malicious activity is an official Oppo support page (http://oppo-kz.custhelp[.]com) in the Kazakh language that has since gone offline. We also found samples that impersonate Samsung and Vivo.
The samples used in the Kazakh targeted campaign connected to the C2 address at 45.148.30[.]122:58442. However, further analysis of the spyware’s C2 server revealed that this IP address is used as a proxy for the real C2 server at 85.159.27[.]61:8442. The real C2 IP address is administered by STS Telecom, a small internet service provider (ISP) operating out of Nur-Sultan, Kazakhstan’s capital. Based on sparse online records, STS specializes in “other wired telecommunications” and cable services.
Syria, Italy and other targets
Prior to detecting the Kazakhstan samples, we found a reference to “Rojava,” a Kurdish-speaking region in northeastern Syria, in the passive DNS records of Hermit. This is significant because the region has been the site of ongoing crises, such as the Syrian civil war and conflicts between the Islamic State (IS) and U.S.-led coalition support of the Kurdish-led Syrian Democratic Forces (SDF). Most recently, Turkey conducted a series of military operations against the SDF that resulted in partial occupation of the region.
The domain we found (rojavanetwork[.]info) specifically imitates “Rojava Network,” a social media brand on Facebook and Twitter that provides news coverage and political analysis of the region, often in support of SDF operations.
Outside Syria, Hermit has been deployed in Italy. According to a document released by the Italian lower house in 2021, Italian authorities potentially misused it in an anti-corruption operation. The document mentioned an iOS version of Hermit and linked RCS Lab and Tykelab to the malware, which corroborates our analysis.
RCS Lab and its controversial connections
Like many spyware vendors, not much is known about RCS Lab and its clientele. But based on the information we do have, it has a considerable international presence.
According to leaked documents published in WikiLeaks in 2015, RCS Lab was a reseller for another Italian spyware vendor HackingTeam, now known as Memento Labs, as early as 2012. Correspondences between the two companies revealed that RCS Lab engaged with military and intelligence agencies in Pakistan, Chile, Mongolia, Bangladesh, Vietnam, Myanmar and Turkmenistan — the latter three ranked as authoritarian regimes by the Democracy Index.
RCS Lab also has past dealings with Syria, another authoritarian regime, as part of its collaboration with Berlin-based Advanced German Technology (AGT) to sell surveillance solutions.
Tykelab and its connection to RCS Lab
According to its own website, Tykelab provides innocuous technology solutions. However, we found various publicly-available clues that suggest otherwise. In addition to the Italian parliamentary document, we found several pieces of evidence tying Tykelab to RCS Lab.
For example, a current Tykelab employee’s LinkedIn profile indicates that they also work at RCS Lab. In addition, the company offers services that require skills that may be useful in the development and delivery of surveillanceware, such as knowledge or interaction with telecommunications networks, social media analysis, SMS services and mobile app development. One of the Tykelab job postings for a security engineer we found spells out desired skills that would have direct application to surveillance of mobile networks and devices.
In our own analysis of Hermit, we were able to tie Tykelab to Hermit and RCS Lab. One of the IP addresses Hermit used for C2 communications revealed an SSL certificate shared with another IP, 93.51.226[.]53. Notably, the shared certificate has Milan, Italy in the locality field which is where RCS Lab is headquartered.
This second IP used another SSL certificate that directly named RCS as the organization and Tykelab as the organization unit. The location references Rome, which is the headquarters location of Tykelab
Technical analysis: Hermit’s advanced capabilities
Hermit is a highly configurable surveillanceware with enterprise-grade capabilities to collect and transmit data.
For example, it uses 20-plus parameters, which enables any operator to tailor it to their campaign. The spyware also attempts to maintain data integrity of collected ‘evidence’ by sending a hash-based message authentication code (HMAC). This allows the actors to authenticate who sent the data as well as ensure the data is unchanged. Using this method for data transmission may enable the admissibility of collected evidence.
To cover up its true intentions, Hermit is built to be modular. This means malicious functionality is hidden inside additional payloads that the malware downloads as needed.
How it tricks victims and avoids detection
As we mentioned earlier, Hermit pretends to come from legitimate entities, namely telecommunications companies or smartphone manufacturers. To keep up this facade, the malware loads and displays the website from the impersonated company simultaneously as malicious activities kickstart in the background.
The first malicious step is to decrypt an embedded configuration file with properties that are used to communicate with the C2 server. But before communication happens, Hermit performs a series of checks to ensure that it isn’t being analyzed. This includes looking for the presence of an emulator and signs that the app itself has been modified to make analysis easier.
Modules and data collection
Once the malware connects with the C2, it takes instructions on what modules to download, each with distinct capabilities. In addition to the modules, the permissions that the malware requests indicate the various ways it could collect data.
In total we acquired 16 modules by interacting with the IP address (45.148.30[.]122:58442) “oppo.service” used for C2 communications. Based on identification numbers assigned to the modules in Hermit’s code, there are at least 25 modules.
Within the core app, we found an abstract class called “module” that provided additional hints as to what the rest of the modules are capable of. The code contained references to exploit usage, which was further confirmed by clues found in obtained modules. While we weren’t served exploits during testing, we can tell that an exploited device will have a local root service listening on 127.0.0.1:500 that the malware will “ping” for.
If the device is confirmed to be exploitable then it will communicate with the C2 to acquire the files necessary to exploit the device and start its root service. This service will then be used to enable elevated device privileges such as access to accessibility services, notification content, package use state and the ability to ignore battery optimization.
Beyond the root service, some of the modules expect or attempt to use root access directly through a su binary. These modules will attempt to modify the shared preferences of the SuperSU app in order to enable the execution of root commands without user interaction.
While this may be a generic attempt at using root without user awareness, SuperSU may also be a part of the unknown exploitation process. If root is not available, the modules may prompt the user to take actions which will accomplish the same goals.
These are the modules we were able to acquire (refer to the appendix for a complete breakdown of each modules):
Like other weaponry, spyware can easily be abused
Vendors of so-called “lawful intercept” spyware, such as RCS Lab, the NSO Group and Gamma Group, usually claim to only sell to entities that have a legitimate use for surveillanceware such as police forces fighting organized crime or terrorism. However, there have been many reports, especially in recent years, of spyware being misused.
We found evidence of Hermit being deployed in Kazakhstan and Syria, countries with poor human rights records. Even in the case of the anti-corruption operations in Italy, there was alleged mishandling of personal and private data.
In a sense, electronic surveillance tools are not that different from any other type of weaponry. Just this month, faced with financial pressure, CEO of the NSO group Shalev Hulio opened up the possibility of selling to “risky” clients. Spyware makers operate in secrecy and with limited oversight and the legitimacy of the use of their products is rarely as clear-cut as they project.
How to protect yourself from spyware like Hermit
With sophisticated data collection capabilities, and the fact that we carry them all the time, mobile devices are the perfect target for surveillance. While not all of us will be targeted by sophisticated spyware, here are some tips to keep yourself and your organization safe:
- Update your phone and apps: operating systems and apps will often have vulnerabilities that need to be patched. Update them to ensure the exploits are resolved.
- Don’t click on unknown links: one of the most common ways for an attacker to deliver malware is by sending you a message pretending to be a legitimate source. Don’t click on links, especially when you don’t know the source.
- Don’t install unknown apps: exercise caution when installing unknown apps, even if the source of the app seems like a legitimate authority.
- Periodically review your apps: sometimes malware can change settings or install additional content to your phone. Check your phone periodically to ensure nothing unknown has been added.
In addition to following the security best practices outlined above, we strongly recommend having a dedicated mobile security solution to ensure that your device is not compromised by malware or phishing attacks.
To the best of our knowledge the apps described in this article were never distributed through Google Play. Users of Lookout security apps are protected from these threats.