Skygofree: Advanced, powerful Android surveillance software active since 2014

The Skygofree includes functionality never seen in the wild before, such as location-based audio recording through infected devices.

Update: 2018-01-18 02:25 GMT
The spyware is spread through web pages mimicking leading mobile network operators. Skygofree is a sophisticated, multi-stage spyware that gives attackers full remote control of an infected device.

Kaspersky Lab researchers have uncovered an advanced mobile implant, active since 2014 and designed for targeted cyber-surveillance, possibly as an ‘offensive security’ product. The implant, named Skygofree includes functionality never seen in the wild before, such as location-based audio recording through infected devices.

The spyware is spread through web pages mimicking leading mobile network operators. Skygofree is a sophisticated, multi-stage spyware that gives attackers full remote control of an infected device.

It has undergone continuous development since the first version was created at the end of 2014 and it now includes the ability to eavesdrop on surrounding conversations and noise when an infected device enters a specified location – a feature that has not previously been seen in the wild. Other advanced, unseen features include using Accessibility Services to steal WhatsApp messages and the ability to connect an infected device to Wi-Fi networks controlled by the attackers.

The implant carries multiple exploits for root access and is also capable of taking pictures and videos, seizing call records, SMS, geolocation, calendar events and business-related information stored in the device’s memory. A special feature enables it to circumvent a battery-saving technique implemented by a top device vendor: the implant adds itself to the list of ‘protected apps’ so that it is not switched off automatically when the screen is off.

The attackers also appear to have an interest in Windows users, and researchers found a number of recently developed modules targeting this platform.

Most of the spoofed landing pages used for spreading the implant were registered in 2015, when according to Kaspersky Lab telemetry the distribution campaign was at its most active. The campaign is ongoing and the most recent domain was registered in October 2017. The data shows there have been several victims to date, all in Italy.  

The researchers found 48 different commands that can be implemented by attackers, allowing for maximum flexibility of use.

Similar News

Cancel the noise