Last year, researchers found what at the time was quite possibly the world’s most sophisticated espionage app ever written for the Android mobile operating system. Now, in a discovery that underscores the growing arms race among competing malware developers, researchers have uncovered a new Android spying platform that includes location-based audio recording and other features that have never been seen in the wild before.
According to a report published Tuesday by antivirus provider Kaspersky Lab, “Skygofree” is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares. With 48 different commands in its latest version, the malware has undergone continuous development since its creation in late 2014. It relies on five separate exploits to gain privileged root access that allows it to bypass key Android security measures. Skygofree is capable of taking pictures, capturing video, and seizing call records, text messages, geolocation data, calendar events, and business-related information stored in device memory.
Skygofree also includes the ability to automatically record conversations and noise when an infected device enters a location specified by the person operating the malware. Another never-before-seen feature is the ability to steal WhatsApp messages by abusing the Android Accessibility Service that’s designed to help users who have disabilities or who may temporarily be unable to fully interact with a device. A third new feature: the ability to connect infected devices to Wi-Fi networks controlled by attackers.
Skygofree also includes other advanced features, including a reverse shell that gives malware operators better remote control of infected devices. The malware also comes with a variety of Windows components that provide among other things a reverse shell, a keylogger, and a mechanism for recording Skype conversations.
“Fragilé? It must be Italian!”
The newly documented malware is roughly in the same league as Pegasus for Android, the companion app of Pegasus for iOS, which was discovered in August 2016 infecting the iPhone of a political dissident located in the United Arab Emirates. Pegasus is a full-featured espionage platform developed by Israel-based NSO Group; it performs keylogging, screenshot capture, live audio and video capture, remote control of the malware via SMS messaging, and data exfiltration from common applications including WhatsApp, Skype, Facebook, Twitter, and Viber.
“The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform,” Kaspersky Lab researchers wrote. “As a result of the long-term development process, there are multiple, exceptional capabilities.” The three years of constant evolution have allowed Skygofree to offer novel capabilities and at the same time remain covert.
That’s not to say the malware is perfect. The various versions examined by Kaspersky Lab contained several artifacts that provide valuable clues about the people who may have developed and maintained the code. Traces include the domain name h3g.co, which was registered by Italian IT firm Negg International. Negg officials didn’t respond to an email requesting comment for this post. The malware may be filling a void left after the epic hack in 2015 of Hacking Team, another Italy-based developer of spyware.
Kaspersky Labs researchers said the malware is spread through Web landing pages that mimic the sites of Vodafone and other mobile operators. The domains used have been registered since 2015, and the campaign remains ongoing. Kaspersky Labs said that data it found indicated several people in Italy have been infected.
Skygofree is a reminder that so-called implant software sold to governments and police forces, sometimes in countries with poor human rights records, remains a threat to people using a wide variety of devices and operating systems. Users who think they’re likely to be targets should always pay close attention to website addresses they visit and when possible install software only from official app stores, and then only after careful research.