Security researchers from Kaspersky Lab have discovered a new and powerful strain of Android spyware that they believe was created by an Italian IT company which they suspect is active in the surveillance software market.
Researchers named this new spyware Skygofree based on some of the domain names used in its infrastructure. They tracked down evidence of Skygofree's activity back to 2014, but they said the malware was most active in 2016.
All distribution campaigns they uncovered targeted Italian users only and based on Kaspersky statistics, only Italian users appear to have been infected.
Researchers also said the spyware's code contained multiple strings and comments written in Italian, which suggests the spyware was purposely developed to target Italian users only.
Kaspersky said it encountered many "negg" strings and artifacts in the Skygofree campaigns. Negg International is the name of an Italian IT software company that advertises a wide range of services, including in cyber-security and mobile and web app development.
While Kaspersky has not officially pegged Negg as Skygofree's author, all evidence hints at this conclusion. Bleeping Computer has reached out to the company for clarification.
It may very well be true that Kaspersky has uncovered a cyber-tool that Negg might have developed for Italian law enforcement to help them catch suspects of official investigations. In the infosec community, such tools are called "lawful intercept" or "lawful surveillance" solutions. Skygofree's small number of infections and limited use only inside Italy's borders suggests so.
"The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for [the Android] platform," Kaspersky researchers said in a report released earlier today.
"As a result of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations," they added.
Below are Skygofree's capabilities, which we summarized from Kaspersky's more in-depth technical analysis.
But researchers have also discovered Skygofree-related files suggesting the Android spyware might have payloads and variants for infecting Linux (Busybox) and Windows systems, albeit no such infections were identified.
But despite being one of the most advanced pieces of Android malware, Skygofree is not an original piece of code. Kaspersky says the malware was cobbled together using multiple open-source projects, some hosted on GitHub, such as PRISM (reverse shell), android-rooting-tools (Android rooting tools), El3ct71k Keylogger (keylogger), and the Xenotix Python Keylogger (Windows keylogger).