Explained: What is Hermit, the new Pegasus-like spyware and how to protect yourself from it

While there are still a number of unanswered questions about the Pegasus spyware, a new spyware has turned up that is wrecking even more havoc. Developed by an Italian vendor called RCS Lab, the new spyware called Hermit is believed to have targeted both iPhone and Android users in Italy, Kazakhstan, and according to some sources, Syria as well.

From a technical standpoint, Hermit is actually way more dangerous than Pegasus was. Hermit is part of a sophisticated malware attack that’s actively being used in the wild. Attackers are using zero-day vulnerabilities or vulnerabilities that haven’t yet been patched and a number of other dangerous exploits in Android and iOS code to deploy malware that can take control over someone’s iOS or Android device.

When implemented properly, Hermit can launch a sophisticated attack that could fool nearly anyone. One tactic that the attackers have employed, as per Google’s Threat Analysis Group or TAG, is to work with the target’s ISP to disable the target’s mobile data connectivity and send them a malicious link via SMS to recover connectivity, which then installs a data mining and data collecting malware.

As of now, it is unclear whether ISPs in the afflicted areas actively participated in facilitating these attacks or were they compromised to carry these attacks out. In either case, things are not looking for ISPs in afflicted areas.

Another tactic was to send links to convincing, rogue versions of popular apps such as Facebook and Instagram which, again, resulted in the target’s phone being infected.

When infected, an attacker can deploy more malware that’s hard or impossible to detect or remove. Moreover, these malware can literally do anything -  eavesdropping on your phone conversations, reading your messages including banking OTPs, accessing your camera and microphones etc. And yes, a malicious actor can even plant stuff onto your device.

With Pegasus, we at least had an assurance that the spyware was used by government agencies and law enforcement agencies only. There was no evidence to suggest that third party or independent actors had any access to it. That is not the case with Hermit. There are cases where it has been alleged that criminals and other malicious parties have used Hermit to target certain people.

In a statement, RCS Lab, the software development and security firm have stated that it only works with governments providing technological solutions and technical support to the lawful Enforcement Agencies across the world.  

In an ideal world, it would mean that these malwares are used only against criminals and terrorists. However, as the Pegasus spyware case has shown us that governments across the world, have targeted journalists, political opponents, prominent lawmakers and judges in their countries, and human rights activists, using malware such as Hermit.

As deceptive as things are with the Hermit, there are some basic safety precautions that can go a long way. Follow these religiously, and there is a good chance that you never get afflicted by these kinds of spyware and malware.

• Keep your device’s software and apps updated. Ensure that you install all security updates promptly.
• Never click on a suspicious link that you’ve received on an SMS, even if it is from your service providers, Google, Facebook or any other service that you might be using.
• Always install the apps you need from an authorised app store. Never let any other app download and install some other app.
• Reboot your device daily. That way if there’s anything suspicious going on, you will get to see clear evidence of that.
• Use third-party browsers like DuckDuckGo and Vivaldi instead of any bundled browser.