Skygofree malware

Security researchers from Kaspersky Lab have discovered a new and powerful strain of Android spyware that they believe was created by an Italian IT company which they suspect is active in the surveillance software market.

Researchers named this new spyware Skygofree based on some of the domain names used in its infrastructure. They tracked down evidence of Skygofree's activity back to 2014, but they said the malware was most active in 2016.

Skygofree used in Italy alone

All distribution campaigns they uncovered targeted Italian users only and based on Kaspersky statistics, only Italian users appear to have been infected.

Researchers also said the spyware's code contained multiple strings and comments written in Italian, which suggests the spyware was purposely developed to target Italian users only.

Kaspersky said it encountered many "negg" strings and artifacts in the Skygofree campaigns. Negg International is the name of an Italian IT software company that advertises a wide range of services, including in cyber-security and mobile and web app development.

While Kaspersky has not officially pegged Negg as Skygofree's author, all evidence hints at this conclusion. Bleeping Computer has reached out to the company for clarification.

It may very well be true that Kaspersky has uncovered a cyber-tool that Negg might have developed for Italian law enforcement to help them catch suspects of official investigations. In the infosec community, such tools are called "lawful intercept" or "lawful surveillance" solutions. Skygofree's small number of infections and limited use only inside Italy's borders suggests so.

Skygofree is a very powerful spying tool

"The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for [the Android] platform," Kaspersky researchers said in a report released earlier today.

"As a result of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations," they added.

Below are Skygofree's capabilities, which we summarized from Kaspersky's more in-depth technical analysis.

☠  Record audio and upload file on a remote server
☠  Record surrounding audio when victim is in a certain geographical location
☠  Location tracking with movement detection
☠  GSM tracking (CID, LAC, PSC)
☠  Steal data from the phone's clipboard
☠  Keylogging features
☠  Search files and upload stolen files to a remote server
☠  Skygofree can be controlled via HTTP, XMPP, binary SMS, and FirebaseCloudMessaging protocols
☠  Create a new Wifi connection and force the user's phone to connect to it. Feature used for forcing phones into a network where someone can perform MitM traffic sniffing.
☠  Can add itself to the "Protected Apps" list on Huawei devices. Apps on this list are allowed to run when the phone screen is turned off.
☠  A reverse shell for sending commands to infected devices.
☠  Contains rooting exploits (CVE-2013-2094, CVE-2013-2595, CVE-2013-6282, CVE-2014-3153, CVE-2015-3636).
☠  Can extract data from IM apps such as Line, Viber, WhatsApp, Facebook, and Facebook Messenger.
☠  Contains a unique exploit that uses the Android Accessibility service to read conversations displayed on the user's screen inside WhatsApp.

But researchers have also discovered Skygofree-related files suggesting the Android spyware might have payloads and variants for infecting Linux (Busybox) and Windows systems, albeit no such infections were identified.

But despite being one of the most advanced pieces of Android malware, Skygofree is not an original piece of code. Kaspersky says the malware was cobbled together using multiple open-source projects, some hosted on GitHub, such as PRISM (reverse shell), android-rooting-tools (Android rooting tools), El3ct71k Keylogger (keylogger), and the Xenotix Python Keylogger (Windows keylogger).

Related Articles:

Google Maps Users are Receiving Notification Spam and No One Knows Why

Emotet Banking Trojan Loves U.S.A Internet Providers

November Android Security Update Fixes Critical Bugs, Drops Media Library

Emotet Trojan Begins Stealing Victim's Email Using New Module

AutoHotkey Malware Is Now a Thing