Advanced Android Spyware Discovered

Wednesday, January 17, 2018 @ 08:01 AM gHale

There is an advanced mobile implant focusing on cyber-surveillance, possibly as an “offensive  security” product, researchers said.

The implant, named Skygofree, includes functionality never seen before, such as location-based audio recording through infected devices, said researchers at Kaspersky Lab. The spyware, active since 2014, spreads through web pages mimicking leading mobile network operators.

Lack of Security Talent a Top Fear: Report
Vulnerabilities in ICS Mobile Apps: Report
ICS Alert: USB Malware Attack
Safety System, DCS Attacked

Skygofree is sophisticated, multi-stage spyware that gives attackers full remote control of an infected device. It has undergone continuous development since the first version was created at the end of 2014 and it now includes the ability to eavesdrop on surrounding conversations and noise when an infected device enters a specified location, which researchers have never seen before. Other advanced, unseen features include using Accessibility Services to steal WhatsApp messages and the ability to connect an infected device to Wi-Fi networks controlled by the attackers.

The implant carries multiple exploits for root access and is also capable of taking pictures and videos, seizing call records, SMS, geolocation, calendar events and business-related information stored in the device’s memory. A special feature enables it to circumvent a battery-saving technique implemented by a top device vendor: the implant adds itself to the list of ‘protected apps’ so it is not switched off automatically when the screen is off.

The attackers also appear to have an interest in Windows users, and researchers modules targeting the platform.

Most of the spoofed landing pages used for spreading the implant ended up registered in 2015, when the distribution campaign was most active, researchers said. The campaign is ongoing and the most recent domain was registered in October 2017. The data shows there have been some victims, all located in Italy.

“High-end mobile malware is very difficult to identify and block and the developers behind Skygofree have clearly used this to their advantage: Creating and evolving an implant that can spy extensively on targets without arousing suspicion,” said Alexey Firsh, malware analyst, targeted attacks research, Kaspersky Lab. “Given the artifacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions, ratherlike HackingTeam.”

The researchers found 48 different commands attackers can implement, allowing for maximum flexibility of use.

Kaspersky Lab detects the Skygofree versions for Android as HEUR:Trojan.AndroidOS.Skygofree.a and HEUR:Trojan.AndroidOS.Skygofree.b, and the Windows samples as UDS:DangerousObject.Multi.Generic.

Click here for more information, including a list of Skygofree’s commands, indicators of compromise, domain addresses and the device models targeted by the implant’s exploit modules.

Leave a Reply

You must be logged in to post a comment.