Kaspersky Lab researchers have uncovered advanced mobile spyware that gives attackers full remote control of infected devices and has several novel features. Dubbed Skygofree, the spyware package or implant is designed for targeted cyber surveillance and includes functionality previously unseen in the wild. It is believed to have been active since 2014.
The new features include location-based audio recording, the use of accessibility services to steal WhatsApp messages, and the ability to connect an infected device to attacker-controlled Wi-Fi to perform traffic sniffing and man-in-the-middle (MitM) attacks.
The spyware, described by researchers as the most advanced mobile implants they have ever seen, is spread through web pages mimicking leading mobile network operators. Most of the spoofed landing pages used for spreading the implant were registered in 2015, when, according to Kaspersky Lab telemetry, the distribution campaign was at its most active. The implant carries multiple exploits for root access and is also capable of taking pictures and videos, seizing call records, SMS, geolocation, calendar events and business-related information stored in the device’s memory.
The researchers found a total of 48 different commands that can be implemented by attackers, allowing maximum flexibility of use.
A special feature enables Skygofree to circumvent a battery-saving technique. The implant simply adds itself to the list of “protected apps” so it is not switched off automatically when the screen is off.
The spyware developers appear to have an interest in Windows users because researchers found a number of recently developed modules targeting this platform. The researchers believe the developer of Skygofree is based in Italy because all the infected devices detected so far are based in that country. The campaign is ongoing, with the most recent domain registered in October 2017, the researchers said.
Alexey Firsh, malware analyst at Kaspersky Lab, said:
“High-end mobile malware is very difficult to identify and block and the developers behind Skygofree have clearly used this to their advantage, creating and evolving an implant that can spy extensively on targets without arousing suspicion. Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions, rather like Hacking Team.”
Hacking Team is a controversial Italian surveillance software firm that counts law enforcement and security agencies among its customers. In 2012, Hacking Team was named by Reporters Without Borders as one of the “corporate enemies of the internet” for providing surveillance tools to oppressive nations, but the organisation has never identified any of its clients and has consistently denied selling to oppressive governments.
To stay protected from advanced mobile malware threats, Kaspersky Lab strongly recommends implementing a reliable security system that can identify and block such threats on endpoints.
Users are also advised to exercise caution when they receive emails from people or organisations they do not know, or with unexpected requests or attachments, and should always double-check the integrity and origin of websites before clicking on links.
Enterprise system administrators are advised to turn on application control functionality in their mobile security systems to control apps potentially vulnerable to this attack.