SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
18 Jan 2018

Potent Skygofree malware packs ‘never-before-seen’ features

Researchers have identified a powerful new Android malware strain called Skygofree capable of eavesdropping on WhatsApp messages, siphoning private data off phones and allowing adversaries to open reverse shell modules on targeted devices, giving attackers ultimate remote control.

Researchers said the malware was developed three years ago and has evolved significantly since then to include 48 unique commands in it most recent iteration. Several of those features have never been seen before in Android malware, according to researchers at Kaspersky Lab who discovered the Skygofree strain last year and disclosed its findings Tuesday.

“The implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals,” wrote researchers Nikita Buchka and Alexey Firsh in a technical breakdown of their research.

Clues as to who is behind the malware trace back to the Italian firm Negg International. Researchers said domains used for landing pages to spread the malware were registered to the company. Negg International did not return requests for comment. According to the company’s website, it offers a wide range of app development, pen testing and cybersecurity consulting services.

Kaspersky Lab said Skygofree victims were likely infected via malicious redirects or man-in-the-middle attacks driving users to landing pages that mimic mobile carrier web sites. Those landing pages included similar domain names and web page content to wireless carriers. Once targets were lured to landing page sites they were prompted to update their phone’s software.

“Dear Customer, in order to avoid malfunctions to your internet connection, we encourage you to upgrade your configuration. Download the update now and keep on navigating at maximum speed,” read one fake landing page targeting Vodafone customers.

Researchers describe Skygofree  as a complex system capable of a wide range of spying, similar to Pegasus discovered in August 2016. Pegasus was part of a spy platform traced back to a cyber arms-dealing outfit in Israel known as the NSO Group. Pegasus consisted of three Apple iOS zero days that were used to spy on a political dissident.

Kaspersky Lab said in the case of Skygofree, it was only aware of a handful of users in Italy being targeted with the malware.

Those Italian links have also prompted comparison between Skygofree and Italy-based intrusion software vendor HackingTeam. HackingTeam is known for selling surveillance and intrusion software products designed to help law enforcement agencies and other customers perform remote penetration and control of target systems.

“Given the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like HackingTeam,” researchers wrote.

Kaspersky Lab researchers said Skygofree’s advanced spy features also included recording Skype conversations and the unique ability to capture WhatsApp end-to-end encrypted conversations via exploiting Android Accessibility Services designed to assist users with disabilities.

“The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages,” researchers wrote regarding capturing WhatsApp conversations. “Note that the implant needs special permission to use the Accessibility Service API, but there is a command that performs a request with a phishing text displayed to the user to obtain such permission.”

Kaspersky Lab said the Skygofree Android implant is one of the most powerful spyware tools that it has ever seen for the Android platform. “As a result of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations,” researchers wrote.


Download SafeUM — communicate privately, without advertising and spam.

Tags:
Android surveillance
Source:
Threatpost
1938
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015