Android security: This newly discovered snooping tool has remarkable spying abilities

The mobile malware can steal WhatsApp messages, eavesdrop on targets based on GPS coordinates, and more.
Written by Danny Palmer, Senior Writer

Video: In the battle against malware, Google adds Play Protect logo to certified Android devices

A newly-uncovered form of Android spyware is one of the most advanced targeted surveillance tools ever seen on mobile devices, coming equipped with spying features never previously seen active in the wild.

Named Skygofree by researchers because the word was used in one of its domains, the multistage malware is designed for surveillance and puts the device in full remote control of the attackers, enabling them to perform advanced attacks including location-based sound recording, stealing communications including WhatsApp messages, and connecting to compromised networks controlled by the malware operators.

Researchers at Kaspersky Lab say those behind spyware have been active since 2014 and are targeting select individuals -- all in Italy. Those behind the mobile surveillance tool are also thought to be based in Italy.

"Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions," said Alexey Firsh, malware analyst in targeted attacks research at Kaspersky Lab.

The malware was uncovered during a review of suspicious file feeds, with its capabilities uncovered after analysing the code.


Researchers say Skygofree has some of the most advanced features ever seen in mobile malware.

Image: iStock

Still thought to be receiving updates from its authors, Skygofree offers attackers 48 different commands, allowing them flexibility to access almost all services and information on the infected device.

That includes the ability to secretly to use the device's microphone eavesdrop on the user and their surroundings when they enter a specified location -- a surveillance feature which has never previously been seen in the wild.

Other previously unseen features bundled with Skygofree are the ability to use Accessibility Services to steal WhatsApp messages of victims and an ability to connect an infected device to wi-fi networks controlled by the attackers.

The malware is also equipped with all the features and root access privileges usually associated with trojan spyware, including capturing photos and videos, seizing call records and text messages, as well as monitoring the user's location via GPS, their calendar, and any information stored on the device.

See also: Cyberwar: A guide to the frightening future of online conflict

If the user has chosen to run battery-saving measures, Skygofree is able to add itself to the list of 'protected apps' in order to ensure it can carry on its malicious activity, even when the screen is off or the phone isn't active.

It remains unclear if those targeted by Skygofree have anything in common outside of being based in Italy, but research suggests that those infected with the Android malware have been compromised after visiting fake websites which mimic those of leading mobile operators.

While researchers still don't know how the victims are lured onto these malicious sites, once there, they're asked to update or configure their device configuration, allowing the malware to be dropped in the process.

Most attacks appear to have taken place in 2015, but there's evidence that Skygofree is still active with evidence of attacks as recently as 31 October 2017. The attackers have gone out of their way to ensure that Skygofree remained under the radar without being detected.

"High-end mobile malware is very difficult to identify and block and the developers behind Skygofree have clearly used this to their advantage: creating and evolving an implant that can spy extensively on targets without arousing suspicion," said Firsh.

In addition to actively infecting Android devices, the attackers also appear to have an interest in Windows systems: researchers uncovered recently-developed modules to target the platform.

However, given the treasure trove of information a mobile device can provide to attackers, it's no surprise that those behind Skygofree put their main focus on Android -- especially given the chance it offers to track a user's movement and therefore activate attacks based on location.

Now read: Cybersecurity in 2018: A roundup of predictions

"Mobile spyware is becoming more effective than PC variants, because victims keep their mobile phone close by them at all times, and such implants can exfiltrate a large amount of sensitive information," Vicente Diaz, deputy head of the global research and analysis team at Kaspersky Lab, told ZDNet. "Some of the never before seen-in-the-wild features of Skygofree are remarkable in their capability."

In order to protect against falling for these sorts of targeted cyber-attacks, mobile users are encouraged to use a security tool to help protect their device and to exercise caution when they receive emails from people or organisations they don't know, or with unexpected requests or attachments.

Recent and related coverage

Phoney Android security apps in Google Play Store found distributing malware, tracking users

36 apps that posed as tools to keep users safe from attacks were actually installing malware on their devices.

Android security: Flashlight apps on Google Play infested with adware were downloaded by 1.5m people

Android users looking for simple tools found their devices infected with aggressive LightsOut adware.


Editorial standards