Security researchers at Kaspersky have uncovered a new form of Android spyware with capabilities that makes it among the most advanced targeted surveillance tools ever seen on mobile devices.
Dubbed ‘Skygofree’ due to the name’s usage among one of its domains, the multistage malware enables attackers with full remote control of the compromised device, enabling them to steal communications through encrypted applications like WhatsApp, engage in location-based sound recording and connecting compromised networks controlled by the malware’s operators.
“The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform,” researchers wrote damningly. “As a result of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations.”
Skygofree allows attackers to trigger 48 different commands, offering them access to a myriad of services and information on the infected device. The malware, equipped with root access privileges, can also capture videos and photos, ascertain text messages and call records as well as monitor the user’s location via GPS. The malware can also access any information stored on devices, including their calendar.
Unlike most spyware tools, this particular variant executes a payload almost exclusively targeting WhatsApp, the world’s most popular instant messaging mobile application. “The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen,” researchers revealed. As a result, it merely has to wait for WhatsApp to launch before parsing all nodes to find text messages shown on the display.
Without directly blaming the operators of the malware, Kaspersky researchers pointed to links with Italian software vendor Negg, a firm specializing in hacking tools similar to the ‘Hacking Team’.
“Given the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like HackingTeam,” researchers said.
Image credit: Pexels.