Security researchers have uncovered a malware program for Android devices that has highly sophisticated spying capabilities and is likely being used for surveillance.
Researchers from antivirus vendor Kaspersky Lab found the spyware implant in October, but their subsequent investigation revealed earlier variants dating as far back as 2014. The researchers have named the malware Skygofree and believe it was developed by an Italian software company.
While the early variants of Skygofree are quite basic, the malware has evolved over the past three years. The last version has an impressive number of features and spying capabilities, including some that have never been seen before in a mobile malware application.
For example, the attacker can define a very specific geographic location and when an infected device enters that perimeter, the malware automatically uses the microphone to record conversations and other sounds. It’s not hard to see how that would be extremely useful in a surveillance operation.
Another feature allows the attacker to specify a Wi-Fi network, including credentials, which the malware can automatically connect the victim’s phone to. This could be used to launch man-in-the-middle attacks against the victim by setting up a malicious hotspot nearby and redirecting the user to rogue websites.
In total, Skygofree supports 48 commands that range from stealing encryption keys and conversations from chat applications such as WhatsApp, Viber and Facebook Messenger to exfiltrating call records, text messages, calendar events and virtually any file stored on the device.
The malware roots infected phones, gains the highest privilege possible and communicates with the attacker’s command-and-control servers over a variety of protocols including HTTP, XMPP, binary SMS and FirebaseCloudMessaging or GoogleCloudMessaging. It also can enable mobile data and Wi-Fi connectivity on request, providing attackers with a lot of flexibility in how they interact with infected devices.
The main method of infection identified by the Kaspersky researchers is through rogue websites that mimic those of known mobile operators and advise users to download an update for their phone’s internet configuration, which is actually the malware. Targeted users might be redirected to these websites through man-in-the-middle techniques activated when they connect their devices to public or compromised Wi-Fi networks.
Once installed on a user’s phone, the malware tries to use the existing “su” binary if the device is already rooted or attempts to root the device using a number of known exploits. The rooting module and some other components were copied from open source projects available on GitHub.
However, there is also evidence that some features were coded for specific devices that have certain particularities in their Android firmware, which shows that a lot of engineering effort went into the spyware.
In addition to the Android malware, the Kaspersky researchers found what they believe to be a related spyware program for Windows that can be used to record Skype conversations, log keystrokes and capture screenshots. This tool is also capable of recording sound from the computer’s surroundings.
“The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform,” the Kaspersky researchers said in a blog post. “As a result of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations.”
“Given the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like HackingTeam,” the researchers said.
HackingTeam is a Milan-based software company known for developing so-called lawful surveillance tools. The company has been criticized for selling its software to oppressive regimes, which then have used it to spy on activists.
HackingTeam suffered a major data breach in 2015 that resulted in large amounts of its internal data, including source code for its products, being leaked on the internet. Kaspersky did not directly attribute Skygofree to HackingTeam but noted it identified the malware on the devices of several individuals in Italy.
Even if Skygofree turns out to be a commercial surveillance tool primarily sold to law enforcement agencies, history has shown that sooner or later such software ends up in the hands of people its developers did not intend to have it. So, it’s possible the malware will be used more broadly in the future.