malware

Skygofree Android spyware records audio at pre-defined location

A newly discovered Android spyware, dubbed Skygofree, offers its users a number of unprecedented surveillance capabilities. The spyware, in development since at least 2014, is enhanced with a few capabilities that make it different to the tons of other Android malware Kaspersky Lab researchers have previously analysed.

“The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform,” Kaspersky Lab researchers wrote

Some of the “remarkable new features” Skygofree has gained since 2014 include launching the infected device’s mic to record audio at a predefined location, stealing WhatsApp messages, and forcing a device to connect to an attacker-controlled Wi-Fi network.

Skygofree was developed by an unnamed Italian IT company, drawing comparisons to fellow Italian surveillance software vendor HackingTeam and other tech firms from the nation suspected of developing spyware and then selling it to agencies in repressive regimes.

To infect targets Skygofree’s creators registered domains that appear similar in name to legitimate mobile operators’ sites, including Vodafone, Three, Wind, Lycamobile, and Sky. The malware was called Skygofree because it was one of the domain names used to spread the malware. The landing pages also mimick the content of the Italian carriers’ real pages.

The attack pages encourage targets to download an update that promises to optimize mobile network speeds, offering the generally bad advice to go to Settings and allow downloads from unknown sources.

Kaspersky doesn’t know how the landing pages were forced on to target phones, but suggests it would have been possible either via a malicious redirect or hijacking a phone once its connects to an attacker-controlled wifi access point.

Earlier versions of Skygofree have all the features to be expected of surveillance-ware, such as uploading recorded audio, stealing and uploading data from the clipboard, as well as recording video and capturing photos from the front-facing camera when the user unlocks the device.

The most recent version of the malware was signed by a certificate that was valid from September  2017. This version contains the location-based audio recording feature, which is achieved by using a legitimate command in Android for monitoring geofences. This allows developers to make an app aware of a user’s current location and their proximity to a specified point of interest in order to trigger some functionality in an app, which in the malware’s case was to trigger audio record.

The malware steals WhatsApp messages by abusing Android’s Accessibility Services. Google in November said it would remove apps from Google Play if they used accessibility services for another other than accessibility due to recent misuse by malware makers. One Android ransomware used Android accessibility permissions to activate device administrator rights and silently set itself as the default Home app. Skygofree uses it to grab WhatsApp messages displayed on the screen.

Kaspersky researchers discovered a related piece of Windows malware with similar functionality, including a module with the ability to capture Skype call recordings.

The Android malware also packs several old exploits, including TowelRoot, in order to gain root on a range of popular Android devices.