Researchers have identified a powerful new Android malware strain called Skygofree capable of eavesdropping on WhatsApp messages, siphoning private data off phones and allowing adversaries to open reverse shell modules on targeted devices, giving attackers ultimate remote control.
Researchers said the malware was developed three years ago and has evolved significantly since then to include 48 unique commands in it most recent iteration. Several of those features have never been seen before in Android malware, according to researchers at Kaspersky Lab who discovered the Skygofree strain last year and disclosed its findings Tuesday.
“The implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals,” wrote researchers Nikita Buchka and Alexey Firsh in a technical breakdown of their research.
Clues as to who is behind the malware trace back to the Italian firm Negg International. Researchers said domains used for landing pages to spread the malware were registered to the company.
Negg International did not return requests for comment. According to the company’s website, it offers a wide range of app development, pen testing and cybersecurity consulting services.
Kaspersky Lab said Skygofree victims were likely infected via malicious redirects or man-in-the-middle attacks driving users to landing pages that mimic mobile carrier web sites. Those landing pages included similar domain names and web page content to wireless carriers. Once targets were lured to landing page sites they were prompted to update their phone’s software.
“Dear Customer, in order to avoid malfunctions to your internet connection, we encourage you to upgrade your configuration. Download the update now and keep on navigating at maximum speed,” read one fake landing page targeting Vodafone customers.
Researchers describe Skygofree as a complex system capable of a wide range of spying, similar to Pegasus discovered in August 2016. Pegasus was part of a spy platform traced back to a cyber arms-dealing outfit in Israel known as the NSO Group. Pegasus consisted of three Apple iOS zero days that were used to spy on a political dissident.
Kaspersky Lab said in the case of Skygofree, it was only aware of a handful of users in Italy being targeted with the malware.
Those Italian links have also prompted comparison between Skygofree and Italy-based intrusion software vendor HackingTeam. HackingTeam is known for selling surveillance and intrusion software products designed to help law enforcement agencies and other customers perform remote penetration and control of target systems.
“Given the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like HackingTeam,” researchers wrote.
Kaspersky Lab researchers said Skygofree’s advanced spy features also included recording Skype conversations and the unique ability to capture WhatsApp end-to-end encrypted conversations via exploiting Android Accessibility Services designed to assist users with disabilities.
“The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages,” researchers wrote regarding capturing WhatsApp conversations. “Note that the implant needs special permission to use the Accessibility Service API, but there is a command that performs a request with a phishing text displayed to the user to obtain such permission.”
Kaspersky Lab said the Skygofree Android implant is one of the most powerful spyware tools that it has ever seen for the Android platform. “As a result of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations,” researchers wrote.