Hermit / Predator-style spyware refers to a class of highly sophisticated, commercial spyware (often called "lawful intercept" or "government-grade" tools) that can silently infect mobile devices (primarily Android and iOS) and provide full remote surveillance.
These tools are built and sold by private companies to governments, intelligence agencies, and law enforcement , not openly to criminals, though leaks and misuse have occurred. The two most well-known examples in this category are:
1. Hermit (developed by RCS Lab, Italy)
2. Predator (developed by Cytrox / Intellexa consortium, North Macedonia / Greece / others)
They represent the same style of attack: zero-click or one-click infection, deep device access, and very low detection footprint.
A simplified guide on How to Understand Hermit/Predator-style Spyware
1. Delivery mechanisms (both 0-click & small clickthrough)
a) 0-click – victim receives a specially formed iMessage, WhatsApp, or SMS containing an undetectable exploit without needing to open it or click it.
b) 1-click – victim clicks on a link sent via SMS/WhatsApp/email that takes them to an exploit server.
c) Common lures: “Your package is late and you can track it here”, “You have an urgent court summons,” “You have a new voice mail,” and “There is a security alert from your bank.”
2. Infection and exploitation methods
a) Spyware uses Vulnerability (e.g.. iOS/Android) Technology (e.g WebKit, Kernel or Media Parser) that may be zero day or n-day.
b) Once inside, it will create an ongoing implantation so that it continues to exist after multiple reboot cycles.
c) On iOS, it exploits company and configuration profile certificates.
d) On Android it will use different techniques such as credentials for Accessibility Services, Side-loaded APK or Software Executed with System Privileges.
3. Capabilities (what it can do after compromising the victim)
a) Read all messages (WhatsApp, Signal, Telegram, iMessage, SMS)– including those that are end-to-end encrypted prior to encryption/after decryption.
b) Capture voice calls, record surrounding audio and capture images from both front and back cameras.
c) Track real-time location using GPS data.
d) Steal contacts, photo, documents and passwords stored in keychains.
e) Capture two-factor authentication codes.
f) Monitor applications used, record keystrokes and clipboard data.
g) Self-destruct or force device to crash (sometimes producing a "blue screen" type of panic on an Android emulator) if it detects it is being analyzed.
4. Evasion & Anti-Analysis
a) Low network traffic (low-and-slow command and control over HTTPS/DNS).
b) Detects debuggers, emulators and sandbox environments → self-delete or cause a device crash.
c) Utilizes obfuscation, dynamic command and control domains, encrypted communications and other methods.
d) Often disables crash notifications and hides itself from app listings.
Real-world examples & known uses
1. Hermit (RCS Lab, Italy)
a) Discovered in 2022 by Lookout and Google TAG.
b) Used by Italian law enforcement (and reportedly sold to others) to target protestors, reporters, and politicians.
c) Delivered through a text message pretending to provide an update or delivery → via zero-click chain on both iOS and Android OS.
d) Features: able to use microphone and camera entirely, as well as access to location and message interception.
2. Predator (Cytrox/Intellexa)
a) Exposed by Citizen Lab, Meta and Google (reports between 2021 and 2023).
b) Sold to governments in Egypt, Saudi Arabia, Greece, Armenia, Indonesia, etc.
c) Became targeting journalists, opposition politicians and other dissidents (Greek journalist Thanasis Koukakis, Catalan politicians, etc.).
d) Zero-click through iMessage WhatsApp exploits or one-click/sms links.
e) Continued selling from 2023–2025 despite EU & US sanctions against Intellexa's executives.
3. Things within the same toolset category
a) Pegasus (NSO Group) is the most well known but otherwise the same type.
b) Candiru (Israel), FinFisher (Gamma Group), Hacking Team-RCS are also older tools of similar category/type.
Why this matters
1. These tools are not mass-market malware, they’re expensive ($ millions per target) and used selectively.
2. Targets are usually high-profile: journalists, activists, politicians, business executives, dissidents.
3. But leaks/misuse happen: tools get resold or copied, lowering the bar over time.
How to protect against this style of spyware
1. Keep iOS/Android fully updated (zero-days get patched fast).
2. Avoid clicking suspicious links in SMS/WhatsApp/email.
3. Use Lockdown Mode on iOS (blocks most zero-click vectors).
4. Disable iMessage/SMS preview if high-risk.
5. Use strong, unique device passcode + biometric.
6. Avoid sideloading APKs (Android).
7. If you suspect infection: factory reset + update, or seek forensic help (Amnesty International, Citizen Lab offer guidance).
Hermit/Predator-style spyware represents the high end of mobile surveillance, government-grade, stealthy, and very hard to detect once installed. For most people the risk is low, but for anyone in journalism, activism, politics, or sensitive business, it’s worth taking the basic precautions seriously.
