A new research report from Kaspersky Labs details their analysis of Skygofree, a newly discovered strain of malware that offers some of the most comprehensive and invasive surveillance tools ever seen for Android.
The researchers hypothesize that Skygofree is a product of an unnamed Italian firm that sells it to governments, corporations or criminals, a niche that was left unfilled when the Italian cyber-arms dealer Hacking Team imploded after leaks revealed the company's involvement in supplying human rights abusers and other criminals with offensive cyber-weapons.
Skygofree's capabilities include covert video and audio capture; exfiltration of call logs, text messages, calendar data and location data; keylogging; covert Skype recording; a reverse shell; geo-fenced remote mic activation (turns your target's phone into a listening device but only in certain locations); stealing Whatsapp messages by exploiting Android's accessibility suite; and forcing infected devices to connect to compromised wifi networks.
Skygofree has been under development since at least 2014, and exploits five different Android vulnerabilities to gain root access of target devices.
The researchers trace the malware to Italy based on subtle and inconclusive clues, such as a domain referenced in the code that is registered to an Italian company. It is common for malware writers to obfuscate or misdirect researchers about the origins of their products.
That's not to say the malware is perfect. The various versions examined by Kaspersky Lab contained several artifacts that provide valuable clues about the people who may have developed and maintained the code. Traces include the domain name h3g.co, which was registered by Italian IT firm Negg International. Negg officials didn't respond to an email requesting comment for this post. The malware may be filling a void left after the epic hack in 2015 of Hacking Team, another Italy-based developer of spyware.
Skygofree: Following in the footsteps of HackingTeam
[Nikita Buchka and Alexey Firsh/Securelist]
Found: New Android malware with never-before-seen spying capabilities [Dan Goodin/Ars Technica]
(Image: Cjohnson7, CC-BY)