Google Says Threat Actors and ISPs Teamed Up to Spread Spyware

iOS and Android users in Kazakhstan and Italy are among the initial victims of the spyware - which can record device audio.

Research released by Google’s Threat Analysis Group (TAG) claims that internet service providers (ISPs) participated in a spyware campaign, including disabling victims’ mobile data.

The tech giant’s findings seem to corroborate similar claims made by the security research team at Lookout, who linked the spyware to RCS labs, a company that provide “technical support” to law enforcement agencies.

Although spyware is a powerful class of malicious software, a high-class antivirus software program designed for mobile would be your best line of defense – companies like Avast provide security software for mobiles, including free software with anti-spyware features.

What Did Google and Lookout Find?

Google’s Threat Analysis Group, which has been “tracking the activities of commercial spyware vendors for years”, says RCS Labs is using “drive-by downloads” as infection vectors to target iOS and Android users with a class of modular surveillanceware called Hermit.

All the devices currently identified as being infected with the spyware, Google says, are based in Kazakhstan and Italy – the latter also being the location of RCS Labs.

The campaigns began with unique links sent to targets, and once clicked, the page attempted to get the user to download a malicious application.

Google believes that the attackers actively worked with the victims’ internet service providers to cut their connectivity to the internet, with the goal of pushing them into clicking a malicious link to return the connectivity to normal.

This backed up Lookout’s earlier, similar claims about Hermit. Its security researchers have been tracking the spyware in Kazakhstan since April, “four months after nation-wide protests against government policies were violently suppressed”, and also noted that it had observed it being used in Italy as far back as 2019 during an anti-corruption operation.

According to Lookout, Hermit spyware can record audio, as well as redirect phone calls from infected devices. It’ll also collect data, including call logs, contacts, photos, text messages, and location information.

RCS Labs: Who Are They, and What do They do?

Lookout says RCS Labs is a similar entity to the NSO Group – the organization behind the Pegasus Spyware that made headlines last year – and effectively creates spyware for government agencies.

Lookout says that these companies collectively brand themselves as “lawful intercept” businesses, but that their products, services, and tools are then deployed in insidious ways in the name of national security.

In a statement given to TechCrunch, RCS Labs said that its products operate “in compliance with both national and European rules and regulations.”

“Any sales or implementation of products is performed only after receiving an official authorization from the competent authorities. Our products are delivered and installed within the premises of approved customers. RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers” the company added.

Can You Protect Yourself Against Spyware?

Stories like this make you think: “is there anything I can do – or any software I can download – that will help me protect myself?” With spyware, it’s quite difficult to say – especially when it’s being used by powerful government agencies or sophisticated threat groups.

It’s unclear whether a VPN would have helped any users in this situation. VPNs make it nigh-on impossible for your internet service provider to attribute the traffic you’re producing to you, and are a great tool to battle government censorship and preserve your privacy – but you need something else to protect yourself against things like Hermit.

Your best bet against spyware is definitely antivirus software for mobiles. Avast, for example, has a free spyware remover and cleaner tool available for both Android and iOS (as well as Mac), as well as a premium security offering with a wealth of features.

Considering how sophisticated and pervasive spyware like Hermit can be, it’s certainly worth the download.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Aaron Drapkin is's Content Manager. He has been researching and writing about technology, politics, and society in print and online publications since graduating with a Philosophy degree from the University of Bristol six years ago. Aaron's focus areas include VPNs, cybersecurity, AI and project management software. He has been quoted in the Daily Mirror, Daily Express, The Daily Mail, Computer Weekly, Cybernews, Lifewire, HR News and the Silicon Republic speaking on various privacy and cybersecurity issues, and has articles published in Wired, Vice, Metro, ProPrivacy, The Week, and covering a wide range of topics.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals