For Android users who have been infected by Hermit, a government-grade malware, Google has issued a warning

Hermit, a previously unknown Android mobile malware, was recently linked to Italian software company RCS Lab by security experts at Lookout. Android customers whose smartphones were infected by malware are now receiving notifications from Google’s threat experts, who have corroborated many of Lookout’s findings.

There are reports from Lookout and Google about the usage of Hermit, a commercial spyware, by governments in Kazakhstan and Italy. As far north as Syria, Lookout claims to have witnessed the malware in action. As required, the spyware may download modules from its command and control servers to collect call logs, capture ambient sounds, divert phone calls, and gather images, messages, and the actual position of a victim’s phone. It has been discovered by Lookout that the Android spyware Hermit also attempts to root infected devices, giving it even more access to a victim’s data. Hermit operates on all versions of Android.

According to Lookout, targeted customers are misled into downloading and installing a malicious software from outside the app store after receiving a malicious link through text message. The infected app pretends to be a genuine branded telecom or messaging app.

On Thursday, Google published a blog post claiming to have found evidence that in some cases the government actors in control of spyware worked with the target’s internet service provider to cut the target’s mobile data connectivity, likely as a bait to trick the target into downloading an app that appeared to restore the service.

In addition, Google examined a piece of Hermit malware designed to infect iPhones, which Lookout previously said it couldn’t get its hands on. As Google discovered in its investigation of Hermit, a malicious iOS app that exploits Apple’s enterprise developer certificates, the Hermit iOS app is packed with six different exploits—two of which were zero-day vulnerabilities at the time they were discovered—allowing the spyware to be sideloaded on the victim’s device from outside of the app store. Before it was patched, Apple was aware of an active attack on one of the zero-day vulnerabilities.

There were no Android or iOS versions of the Hermit spyware available, according to both businesses’ statements. For Android users with infected devices, Google Play Protect, the app security scanner built-in to Android, has been upgraded so that the app cannot operate. Firebase, the account used by the malware to communicate with Google servers, has also been shut down by the search engine.

Google did not indicate how many Android users it was alerting.

An Apple spokeswoman confirmed that all known accounts and certificates linked with this malware effort had been revoked.

Hermit is the most recent example of government-grade spyware that has been discovered to be in use by government agencies. There is no way to tell whether journalists, activists, or human rights advocates have been monitored using Hermit since it was built by hacking-for-hire organisations like NSO Group and Candiru.

RCS Lab gave an unattributed remark when contacted for comment:

“RCS Lab exports its products in compliance with both national and European rules and regulations. Any sales or implementation of products is performed only after receiving an official authorization from the competent authorities. Our products are delivered and installed within the premises of approved customers. RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers.”