Security

Android snoopware Skygofree can pilfer WhatsApp messages

Sophisticated nasty also able to listen in based on location

By John Leyden

18 SHARE

Mobile malware strain Skygofree may be the most advanced Android-infecting nasties ever, antivirus-flinger Kaspersky Lab has warned.

Active since 2014, Skygofree, named after one of the domains used in the campaign, is spread through web pages mimicking leading mobile network operators and geared towards cyber-surveillance.

Skygofree includes a number of advanced features not seen in the wild before, including:

All the victims of the ongoing campaign detected so far have been located in Italy, leading Kaspersky to theorise that the developers are themselves Italian.

Kaspersky's researchers reckon the group may have filled the vacuum created by the demise of HackingTeam, following a 2015 breach in which the source code of commercial law enforcement surveillance/spyware tools that the firm developed was leaked, among other embarrassing secrets such as corporate emails.

Skygofree mobile malware evolution [source: Kaspersky Lab]

Skygofree is a strain of multi-stage spyware that gives attackers full remote control of an infected device. It has undergone continuous development since the first version was created at the end of 2014, Kaspersky Lab said.

"The implant carries multiple exploits for root access and is also capable of taking pictures and videos, seizing call records, SMS, geolocation, calendar events and business-related information stored in the device's memory," the firm added.

The malware is even programmed to add itself to the list of "protected apps" so that it is not switched off automatically when the screen is off, circumventing a battery-saving feature that might otherwise limit its effectiveness.

The attackers also appear to have an interest in Windows users. Researchers found a number of recently developed modules targeting Microsoft's OS.

"High-end mobile malware is very difficult to identify and block and the developers behind Skygofree have clearly used this to their advantage: creating and evolving an implant that can spy extensively on targets without arousing suspicion," said Alexey Firsh, Malware Analyst, Targeted Attacks Research, Kaspersky Lab.

"Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions, rather like HackingTeam."

More information, including a list of Skygofree's commands, indicators of compromise, domain addresses and the device models targeted by the implant's exploit modules can be found in a blog post on Securelist.com.

Bootnote

Kaspersky Lab moved to clarify that Skygofree has no connection to Sky, Sky Go or any other subsidiary of Sky, and does not affect the Sky Go service or app.

Sign up to our NewsletterGet IT in your inbox daily

18 Comments

More from The Register

Haven't updated your Adobe PDF software lately? Here's 85 new reasons to do it now

Acrobat, Reader get patched up against dozens of new holes

Exploit kit development has gone to sh$t... ever since Adobe Flash was kicked to the curb

Coinkidink? Nah. Crooks are switching tactics

Adobe forks out $4.75bn for Marketo in massive marketing mashup move

Deal puts pressure on competitors

How many ways can a PDF mess up your PC? 47 in this Adobe update alone

Tons of critical fixes for Reader, Acrobat and Photoshop

Adobe chatting up Marketo – reports

Fancies slipping automated marketing software biz into its portfolio

Patch or ditch Adobe Flash: Exploit on sale, booby-trapped Office docs spotted in the wild

ThreadKit leverages flaw fixed in February

Adobe on internal systems security hole: Panic not. It isn't critical

Researcher: Well, I think you'll find....

Stop us if you've heard this one: Adobe Flash gets emergency patch for zero-day exploit

The internet's screen door gets kicked open once again

Intel, Microsoft, Adobe release a swarm of bug fixes to ruin your week

Massive patch dump with 112 fixes... and that's just for the Photoshop giant

Adobe acquires Magento to go B2B2C and beyond

Experience Cloud to add commerce and content management facilities