Android spyware developed by RCS Labs, a company in the same market as notorious Pegasus spyware developer NSO Group, has been discovered in Kazakhstan only months after protests against the government were met with violence.
Security researchers with Lookout Threat Lab did not specify who the specific targets of the Android spyware were, but raised concerns based on the timing and the fact that a threat actor appears to have deployed it in Syria in opposition to the Syrian Defense Forces.
“Enterprise-grade” Android spyware created by “lawful intercept” company
The Lookout researchers indicate there is evidence to suggest that the national government of Kazakhstan deployed the Android spyware within its borders. This follows an extended period of unrest in the country that dates back to January 2022, when citizens took to the streets in protest of a sharp and sudden rise in gas prices due to a government policy change. The protests spread quickly across the country and some turned into riots, prompting a government declaration of a state of emergency and authorization of the use of lethal force by the president. Roughly a week of violence led to 227 deaths and over 9,000 arrests.
The samples of Android spyware were picked up by Lookout in April. The spyware, called Hermit, is developed by an Italian company called RCS Lab S.p.A that is in the same “lawful intercept” market as NSO Group. As with NSO’s Pegasus product, the company advertises that it only provides its products to law enforcement agencies from nations that don’t have records of human rights abuses. And, like Pegasus, it has popped up in multiple places that do not fit this description.
Lookout has logged previous instances of Hermit being used in Italy in 2019 as part of an anti-corruption operation, and in the conflict-ridden northeast region of Syria. The Android spyware is not as prolific or powerful as Pegasus; it does not use “zero click” techniques, but does spread by SMS as it poses as communications from legitimate brands and loads malware-ridden clones of their official websites. Once installed, Hermit has 25 individual modules with varying capabilities: logging all sorts of data from the phone, recording phone call audio, and redirecting phone calls among others. The operator can select freely from these modules.
There is reportedly also an iOS version of Hermit, but the Lookout researchers were not able to obtain a sample of it. This is the first instance of a specific customer being linked to RCS Labs’ Android spyware, but the company’s general regional dealings are known thanks to document leaks.
Kazakhstan national government linked to Android spyware
The deployment of Hermit has been linked to the Kazakhstan government via the unmasking of the real IP address of one of its command and control servers, which is located in the country’s capital of Nur-Sultan. The attacker attempted to disguise the traffic as belonging to a variety of technology companies: Samsung, Vivo and Chinese electronics manufacturer Oppo.
RCS Lab is very quiet about who it does business with, but WikiLeaks releases from 2015 indicate that it has provided Android spyware to authoritarian governments in Myanmar, Vietnam and Turkmenistan among others. It also has prior ties to Syria through a Berlin company called Advanced German Technology that it partnered with to sell surveillance products.
The company appears to have been doing business in Syria with opponents of the Syrian Democratic Forces (SDF), the Kurdish-led coalition that seeks to establish a democratic government and is backed by Western powers. The SDF was key in repelling ISIS from the country. In this case, whomever its customer was used a domain that spoofed the Rojava Network as a means to pass the Android spyware. The Rojava Network has a Facebook and Twitter presence that posts news and political analysis from a perspective supportive of the SDF. The SDF remains engaged against a collection of Islamist and Arab nationalist forces in the region, largely backed by Turkey.
The incident once again brings the murky world of “law enforcement surveillanceware” into focus, an industry in which NSO Group and Pegasus are both the most familiar names and the most “legitimate” products despite a mounting record of use of repressive and invasive purposes. NSO Group has faced increasing financial difficulty since a torrent of these reports began with the 2021 “Pegasus Project” founded by Amnesty International and an assortment of major international news agencies. The company has recently floated two ideas publicly for its continued survival, neither particularly appealing: it has talked about either openly selling its iOS and Android spyware to more “questionable” customers, or selling the entire operation off to American defense contractor L3Harris (manufacturer of Stingray cellular phone trackers). The latter possibility has some worried that Pegasus could be broadly adopted by US law enforcement if it was provided with that layer of legitimacy.