Security researchers discovered a new type of Android spyware called Skygofree that appeared to have been in development...
a long time and included "never-before-seen surveillance features" on mobile devices and also has a Windows variant.
Skygofree was first observed in October 2017 by Nikita Buchka and Alexey Firsh, mobile malware analyst and security expert, respectively, at Kaspersky Lab. The researchers said in a blog post that they believe Skygofree was first developed in 2014, but "since then, the implant's functionality has been improving and remarkable new features implemented."
"The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform. As a result of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations," Buchka and Firsh wrote in their analysis. "Given the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like HackingTeam."
The researchers said malicious actors could control Skygofree "via HTTP, XMPP, binary SMS and FirebaseCloudMessaging" protocols in order to trigger commands to record audio when in a specified location, steal files from other applications, enable Wi-Fi and connect to a malicious Wi-Fi network or capture video or images from the front-facing camera when the device is unlocked.
The Android spyware was hardcoded to target data from encrypted messaging services like Line, Facebook Messenger, WhatsApp and Viber. The Kaspersky researchers said Skygofree had phishing schemes to lure victims to enable Accessibility Services that would allow the spyware to read what was on the display, including messages in those encrypted apps.
Buchka and Firsh said they "found multiple components that form an entire spyware system for the Windows platform" related to Skygofree. The Windows version of the software was written in Python but could be run on systems without pre-installed Python binaries.
The Windows version of the Skygofree spyware could open sockets and connect to a remote server and exfiltrate files. The spyware had modules to collect file structure dumps, audio recordings, keylogger data, screenshots and even recordings of Skype calls.
Distribution and Android Accessibility misuse
Buchka and Firsh said the Skygofree spyware was distributed via malicious APKs found on several landing sites.
"All the observed landing pages mimic the mobile operators' web pages through their domain name and web page content as well," the researchers wrote. "Unfortunately, for now we can't say in what environment these landing pages were used in the wild, but according to all the information at our disposal, we can assume that they are perfect for exploitation using malicious redirects or man-in-the-middle attacks. For example, this could be when the victim's device connects to a Wi-Fi access point that is infected or controlled by the attackers."
The Kaspersky research did not mention Skygofree ever being found in Android apps in the Google Play Store, which would imply victims would need to be lured into manually installing the Android malware.
The researchers also did not mention when they disclosed the issue to Google. But, one month after Kaspersky first discovered the Android spyware, Google did crack down on apps in the Play Store that misused the Accessibility Services API.
In mid-November 2017, XDA Developers first reported that Google would more strictly punish developers who did not follow guidelines for the Accessibility Services API and removing apps from the Play Store if they used the API in ways that did not "help users with disabilities use Android devices and apps."
It is unclear if Kaspersky's research and this action by Google were related, and neither company has responded to requests for comment at the time of this post.