Hermit is a mobile spyware product attributed to RCS Lab, an Italian surveillance vendor based in Milan that merged into Cy4Gate in 2022. The tool was documented by Lookout and Google’s Threat Analysis Group in June 2022 following deployments in Kazakhstan against domestic dissidents and in Italy against an anti-corruption protest organiser. Hermit targets Android and iOS through a combination of social engineering and, in documented cases, internet service provider cooperation that redirects mobile traffic to a malicious download.
What it means in practice
Hermit is delivered through a combination of social engineering and ISP-level traffic redirection. The social engineering vector uses fake security alerts that prompt the target to install what appears to be a carrier update or banking app. The ISP-assisted vector, documented in the 2022 Italian and Kazakh cases, involves the target’s mobile data carrier injecting a download prompt directly into the user’s web traffic. On iOS, the infection chain has used enterprise developer certificates obtained through compromised or complicit corporate accounts.
Specific things to know
RCS Lab has supplied Italian law enforcement and other European customers since the early 2000s. The June 2022 Google TAG and Lookout disclosure documented Kazakhstan and Italy as deployment geographies, with infrastructure indicators suggesting additional customers in Syria. Apple has revoked the abused enterprise certificates following disclosure. The merger of RCS Lab into Cy4Gate in 2022 consolidated the Italian commercial surveillance market under a single listed company, with operations continuing under the parent name.
Change today
Never install a profile, configuration file, or enterprise app from an unsolicited link. The Hermit chain depends on the user accepting an enterprise certificate or downloading an APK through a redirected page. On Android, disable installation from unknown sources, review installed apps quarterly, and verify that the apps you do have were installed from a recognised store. On iOS, check Settings > General > VPN & Device Management for any unfamiliar configuration profiles and remove anything you did not knowingly install.
Related articles
See our coverage of ISP-assisted infection delivery, Italian captatori law, and the European commercial spyware ecosystem.
