Skygofree Android Spyware Threatens Privacy

Kaspersky finds spyware can read WhatsApp messages and take pictures, and it has been around for three years already

A new piece of Android spyware has been discovered that is being described as “one of the most advanced mobile implants … ever seen.”

The spyware, called Skygofree, was discovered by researchers at Kaspersky Lab, who warned that it has been active since 2014, and it can take pictures from the selfie camera, or even read WhatsApp messages.

The discovery of the surveillance software raises fresh questions over the security of Android, the world’s most popular smartphone operating system.

Android malware

Offensive Spyware

Kaspersky Lab reckons that Skygofree was developed by an Italian IT firm that specialises in surveillance solutions, as it found that all the victims have so far been detected in Italy.

The researchers said that the “highly advanced, powerful Android surveillance software” has been active since 2014, and could be “offensive security” product.

“The implant, named Skygofree includes functionality never seen in the wild before, such as location-based audio recording through infected devices,” said Kaspersky Lab. “The spyware is spread through web pages mimicking leading mobile network operators.”

Skygofree was named after one of the domains used in the campaign. Kaspersky Lab describes it as a sophisticated, multi-stage spyware that gives attackers full remote control of an infected device.

“It has undergone continuous development since the first version was created at the end of 2014 and it now includes the ability to eavesdrop on surrounding conversations and noise when an infected device enters a specified location – a feature that has not previously been seen in the wild,” said the security firm. “Other advanced, unseen features include using Accessibility Services to steal WhatsApp messages and the ability to connect an infected device to Wi-Fi networks controlled by the attackers.”

And this is a truly nasty piece of spyware, as it carries multiple exploits for root access and is also capable of taking pictures and videos, seizing call records, SMS, geolocation, calendar events and business-related information stored in the device’s memory.

The spyware even has a special feature that enables it to circumvent a battery-saving technique implemented by one leading Android handset maker.

Essentially, the spyware adds itself to the list of ‘protected apps’ so that it is not switched off automatically when the screen is off.

And the spyware has also been found on some Windows machines as well, after researchers found a number of recently developed modules targeting this platform.

Security Software

“High end mobile malware is very difficult to identify and block and the developers behind Skygofree have clearly used this to their advantage: creating and evolving an implant that can spy extensively on targets without arousing suspicion,” said Alexey Firsh, malware analyst at Kaspersky Lab.

“Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions, rather like HackingTeam.”

The researchers apparently found 48 different commands that can be implemented by attackers, allowing for maximum flexibility of use.

Kaspersky Lab strongly recommends that Android users install a reliable security solution for their devices, and to always double-check the integrity and origin of websites before clicking on any links.

The security researcher pointed out that Skygofree has no connection to Sky, Sky Go or anything to do with the satellite television provider.

In December 2017 Kaspersky Lab also uncovered a new strain of Android malware that could run a number of different scams at once – so many that it could cause overheating and physical damage to a device.

Do you know all about security in 2017? Try our quiz!