Phone malware keeps getting “smarter” with the passage of time, & ‘Skygofree’, discovered by anti-virus company Kaspersky seems to be the smartest so far.
Kaspersky said on its official blog that Skygofree was “overflowing with functions” (meaning, activities), some of which have not been encountered elsewhere.
For example, it can track the location of a device it’s installed on, & turn on the audio recording when the owner is in a certain place. In practice, this means that attackers can start listening in on victims when, say, they enter the office or visit the CEO’s home.
Another never-before-seen feature is the ability to steal WhatsApp messages. This, it does, by abusing the Android Accessibility Service that’s designed to help users who have disabilities or who may temporarily be unable to fully interact with a device.
Another interesting technique Skygofree employs is surreptitiously connecting an infected smartphone or Tablet to a Wi Fi network controlled by the attackers — even if the owner of the device has disabled all Wi Fi connections on the device. This lets the victim’s traffic be collected & analyzed. In other words, someone somewhere will know exactly what Sites were looked at, & what logins, passwords, & card numbers were entered, claimed Kaspersky.
The malware also has a couple of functions that help it operate in standby mode. For example, the latest version of Android can automatically stop inactive processes to save battery power, but Skygofree is able to bypass this by periodically sending system notifications. And on smartphones made by one of the tech majors, where all apps except for favorites are stopped when the screen is turned off, Skygofree adds itself automatically to the favorites list.
According to Kaspersky, the malware is an offensive security product sold by an Italian IT firm.
We discovered Skygofree recently, in late 2017, but our analysis shows the attackers have been using it — and constantly enhancing it — since 2014. Over the past three years, it has grown from a rather simple piece of malware into full-fledged, multifunctional spyware.
The malware is distributed through fake mobile operator websites, where Skygofree is disguised as an update to improve mobile Internet speed. If a user swallows the bait and downloads the Trojan, it displays a notification that setup is supposedly in progress, conceals itself from the user, and requests further instructions from the command server. Depending on the response, it can download a variety of payloads — the attackers have solutions for almost every occasion.
