Skip to main content

Hermit spyware is hijacking Android devices and iPhones — how to spot it before you're next

Malware phone
(Image credit: Getty)

Watch out! A malignant malware threat is targeting both Android and iOS devices. Lookout, the security firm that first discovered the bug, dubbed it Hermit spyware, which is a bit of a misnomer. Why? Well, it's far from reclusive. It's designed to be intrusive, hijacking phones and wreaking havoc on devices.

According to Google's Threat Analysis Group (TAG), the malevolent actors behind Hermit spyware attack seemingly have their crosshairs on users in Italy and Kazakhstan — for now. To hamper its spread, we'll show you how Hermit spyware manifests, so you can spot it from a mile away.

Hermit Spyware: How it launches its attack

Lookout and TAG allege that the malicious team behind Hermit spyware is Italy-based spyware vendor RCS Labs. Get this! In some cases, the bad actors actually worked with Internet Service Providers (ISPs) to turn off victims' mobile data. Consequently, the hackers would pose as mobile carriers and send text messages with malicious links, convincing targets that clicking on them will help restore their internet connectivity. 

Of course, that is far from true. Once the victim unwittingly downloads the malicious software, bad actors can gain access to quarry's location, photos, call records and text messages. To make matters worse, the hackers can intercept phone calls (and make them, too). They can also record audio with the victim's device.

In situations where ISPs are not involved, TAG says that Hermit spyware masquerades as a messaging app instead (e.g., WhatsApp). 

How to spot Hermit spyware

To arm you with knowledge on how Hermit spyware manifests, TAG posted a screenshot of how, in part, the malicious bug lures victims into its dangerous lair.

Hermit spyware

Hermit spyware (Image credit: Google)

"The page, in Italian, asks the user to install one of these [messaging] applications in order to recover their account," TAG said about the screenshot. "Looking at the code of the page, we can see that only the WhatsApp download links are pointing to attack-controlled content for Android and iOS users."

To conclude, if you receive a fishy text after your mobile data unexpectedly turns off, it could be a hacker pretending to be a trusted entity. And of course, if you stumble upon a page similar to the screenshot posted above, don't fall for it. If you do, your device may be in grave danger.

If you're wondering what Apple and Google are doing to combat this mean bug, according to The Verge, Apple revoked all known accounts and certificates associated with Hermit. As for Google, it pushed a Google Play Protect update to all users.

Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!