Kaspersky uncovers Skygofree, a sophisticated malware that allows hackers to spy on Android users

- Adrian Ungureanu

There’s a very dangerous malware “implant” in the Android mobile devices, that is used by hackers to spy on users, by using the infected device’s microphones.

Kaspersky Lab researchers have uncovered Skygrofree, which apparently is active since 2014 which includes functionality never seen in the wild before, such as location-based audio recording through infected devices. The spyware is spread through web pages mimicking leading mobile network operators.

Skygofree is a sophisticated, multi-stage spyware that gives attackers full remote control of an infected device. It has undergone continuous development since the first version was created at the end of 2014 and it now includes the ability to eavesdrop on surrounding conversations and noise when an infected device enters a specified location – a feature that has not previously been seen in the wild.

Other advanced, unseen features include using Accessibility Services to steal WhatsApp messages and the ability to connect an infected device to Wi-Fi networks controlled by the attackers.

“High end mobile malware is very difficult to identify and block and the developers behind Skygofree have clearly used this to their advantage: creating and evolving an implant that can spy extensively on targets without arousing suspicion. Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions, rather like HackingTeam”, said Alexey Firsh, Malware Analyst, Targeted Attacks Research, Kaspersky Lab.

The researchers found 48 different commands that can be implemented by attackers, allowing for maximum flexibility of use.

To stay protected from advanced mobile malware threats, Kaspersky Lab strongly recommends implementing a reliable security solution that can identify and block such threats on endpoints, such as Kaspersky Security for Mobile.

Users are further advised to exercise caution when they receive emails from people or organizations they don’t know, or with unexpected requests or attachments – and to always double-check the integrity and origin of websites before clicking on links. If in doubt, call the service provider to verify. System administrators, in their turn, are advised to turn on Application Control functionality in their mobile security solutions to control potentially harmful programs vulnerable to this attack.