Skygofree steals messages, eavesdrops on conversations
Researchers at Kaspersky Lab have discovered an advanced mobile implant designed for targeted cyber surveillance. The spyware is spread through Web pages imitating leading mobile network operators.
Dubbed Skygofree, the spyware has been active since 2014 and, according to the company, possibly designed as an "offensive security" product.
It contains functionality not seen in the wild before, including location-based audio recording through infected devices. Other advanced, previously unseen features include using accessibility services to steal WhatsApp messages, as well as the ability to connect an infected device to WiFi networks controlled by the attackers.
According to Kaspersky, the implant is sophisticated, multi-stage spyware that gives attackers full remote control of an infected device.
"It has undergone continuous development since the first version was created at the end of 2014 and now includes the ability to eavesdrop on surrounding conversations and noise when an infected device enters a specified location - a feature that has not previously been seen in the wild."
The security company says the spyware contains multiple exploits for root access and has the ability to take pictures and videos, seize call records, SMS, geolocation, calendar events and business-related information stored in a device's memory.
Another feature allows it to bypass a battery-saving technique, by adding itself to the list of 'protected apps' so that it is not switched off automatically when the screen is off.
Researchers discovered 48 different commands that can be implemented by attackers, allowing for the greatest possible flexibility of use.
Uri Rivner, VP of cyber strategy at BioCatch, says the assumption that mobile phones have airtight security has been proven wrong time and again.
"Mobile phones, particularly those running on Android OS, are a favoured hijacking target for government intelligence services, law enforcement agencies, hacktivists, organised crime rings and surveillance vendors."
Rivner says Skygofree is heavily focused on collecting video, audio and application data and isn't targeting any financial-related apps. "It is focused on obtaining information and intelligence from individuals who may be targets in their own right, or who work in sensitive roles within government or corporate environments."
Meanwhile, he says, in the financial world, the concept of 'trusted devices' and using the mobile phone as an authenticator is also being constantly challenged. "Remote access functionality allows an attacker to access from the user's trusted mobile device."
Moreover, he says whenever a user has a new device, the trust chain is broken and needs to be re-established ? a process that cyber criminals can easily exploit. By employing identifier binding, they can bind a device they control to the victim's identity, creating a second 'trusted device' that is quite the opposite.
"For these reasons, mobile phones are no longer perceived as the panacea for protecting digital identities, and additional controls are needed to secure them from hijacking."
According to Kaspersky Lab's telemetry data, most of the fake landing pages used for spreading Skygofree were registered in 2015. At that time, the distribution campaign was at its most active, although the campaign is ongoing, with the most recent domain registered in October last year. The data shows there have been several victims to date, all in Italy.
Alexey Firsh, malware analyst, targeted attacks research at Kaspersky Lab, says high-end mobile malware is incredibly difficult to identify and block, and Skygofree's developers have taken advantage of this. They have created and developed a tool that can spy extensively on targets without arousing suspicion.
The artefacts the researchers discovered in the malware code and their analysis of the infrastructure leads them to believe the developer behind Skygofree is an Italian IT company that offers surveillance solutions.