The Hermit Spyware: How to Protect Yourself From It

The Hermit spyware (it was dubbed Hermit by security firm , which first reported its discovery) is part of a dangerous and sophisticated malware attack that's actively being used in the wild. Attackers are using zero-day vulnerabilities (meaning those that haven't yet been patched) and other dangerous exploits in Android and iOS code to deploy malware that can take control over someone's iOS or Android device.

In this Slogging thread, our community discussed the Hermit Spyware and how it captures a great deal of private information about its victims, including their whereabouts, contacts, private messages, images, call logs, phone conversations, background audio recordings, and more.

This Slogging thread by Valentine Enedah, Mónica Freitas, Sara Pinto and Teri occurred in slogging's official #technology channel, and has been edited for readability.

The Hermit Spyware: How to protect yourself from it.

Users really want to know (and rightfully so) how, exactly, you can protect yourself from this menace, how you can know whether your device has been infected and if it has, how to get rid of the spyware.

The attack
The bad news is that, when performed properly, this is a highly sophisticated attack that could fool nearly anyone. One tactic that the attackers have employed, per TAG, is to work with the target's ISP to disable the target's mobile data connectivity and send them a malicious link via SMS to recover connectivity — and install the malware.
It's unclear whether the attackers actually got the ISPs to participate in the attack, or whether they had an insider who could perform these actions for them, but the result is chillingly dangerous. Imagine your phone losing mobile data connectivity and then immediately getting a message from your vendor saying, "Yeah, we know your phone's data connectivity doesn't work, here's a link to fix it." Unless you're aware of this particular attack, you'd probably click on it without much hesitation.

If you want to take it a few steps further, security firm has a list of actions you can take to protect yourself from sophisticated spyware, and it includes daily reboots, disabling iMessage and FaceTime, and using an alternative browser to browse the internet, instead of the popular Chrome or Safari.

But what do you think?
How do you think we can increase mobile security for our devices?

The scams just keep on popping up
We had something kinda similar a while back. People were getting messages claiming the items they ordered were stuck in customs and that they'd have to access a link to release them. Once you clicked on the link, it'd take you to a page where you had to put your bank card details. Once you did that they could start using all the money you had in that bank account. I was one of the targeted people: I found it weird that I was getting sms from a private number instead of an organization like the post office or dhl. And found it even weirder that they were asking for my card details. That's what tipped me off to google the phone number - which confirmed it was a scam. But a friend of mine was not so lucky

This new scam is even scarier because they can get their hands on all sorts of private information
And the way they use social media to do it makes it even trickier to distrust

I think one good rule to prevent this is to never answer any message or email that asks for login info or to click a link to solve a problem you never had before
When in doubt, do a quick google search to verify the message or contact the company directly. My philosophy is that if it's important enough and legit, companies will call you

This is quite scary. We see new scams everyday, and the only thing going for me in this thread is the hope of not spreading massively, as you mentioned, Valentine Enedah.
We've have this information coming at us, as a way to protect ourselves. However, I get scared for the older generations that don't get these news and end up being more naive when it comes to those sketchy messages we usually receive with links

Mónica Freitas Wow, you are so lucky to escape that. I had one experience that a person called me to tell me that I have gotten a role at an Oil & Gas company. A role that I didn't apply for.😂
Back then, before we experienced the technology age in Nigeria, they were oil & gas companies already existing. Just working for these companies signified that you are set for life!😂
I wasted his time and his call credit.
Also, I had an experience in High School where my Facebook account was hacked! It sounded unbelievable because of the fact that I hardly ever used that account.

Sara Pinto You are right! The older generations might even be the weakest link in fighting cybercrime.Valentine Enedah, I think they end up being the biggest targets. Even the not so complex scams, like phone calls, because they are not aware of the prejudice that comes with all this new technology. Tech is great and brings so much benefits, but it creates a whole new world of things we need to be aware of, and sometimes, even for the new generations, it can be hard to keep trackSara Pinto Valid perspective. I think awareness should be created for the older generation and some of these complex terminologies could be taught in a way that it could be understood at least.Since I got my macbook m1, I have been very careful downloading any apps from unauthorised websites and clicking on any link especially the spam messages on Twitter and Discord concerning Crypto or anything related to doing jobs that would pay you. Also links in my inbox is no for me.

Do you have any idea about who hacked you? A colleague or was it a mainstream hack?
What was the goal of that call? Were they trying to get access to your bank account details or something?

Teri These are really good practices as man is the weakest link in the Cybersecurity chain and you will most likely be safe.

Mónica Freitas Till this very day, I don't know who hacked my account. The person hacked my account to display links to NSFW from a Porn website. I was just 16 then plus my mum and teachers were angry with me for what I didn't do.😂
It was a horrible experience and I wouldn't wish that for anyone.