Powerful Android surveillance software

February 2018 Editor's Choice, News & Events

Kaspersky Lab researchers have uncovered an advanced mobile implant, active since 2014 and designed for targeted cyber-surveillance, possibly as an ‘offensive security’ product. The implant, named Skygofree includes functionality never seen in the wild before, such as location-based audio recording through infected devices. The spyware is spread through web pages, mimicking leading mobile network operators.

Skygofree is sophisticated, multi-stage spyware that gives attackers full remote control of an infected device. It has undergone continuous development since the first version was created at the end of 2014 and it now includes the ability to eavesdrop on surrounding conversations and noise when an infected device enters a specified location – a feature that has not previously been seen in the wild. Other advanced, unseen features include using Accessibility Services to steal WhatsApp messages and the ability to connect an infected device to Wi-Fi networks controlled by the attackers.

The implant carries multiple exploits for root access and is also capable of taking pictures and videos, seizing call records, SMSs, geolocation, calendar events and business-related information stored in the device’s memory. A special feature enables it to circumvent a battery-saving technique implemented by a top device vendor: the implant adds itself to the list of ‘protected apps’ so that it is not switched off automatically when the screen is off.

The attackers also appear to have an interest in Windows users, and researchers found a number of recently developed modules targeting this platform.

Most of the spoofed landing pages used for spreading the implant were registered in 2015, when according to Kaspersky Lab telemetry the distribution campaign was at its most active. The campaign is ongoing and the most recent domain was registered in October 2017. The data shows there have been several victims to date, all in Italy.

“High end mobile malware is very difficult to identify and block, and the developers behind Skygofree have clearly used this to their advantage: creating and evolving an implant that can spy extensively on targets without arousing suspicion. Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions, rather like HackingTeam”, said Alexey Firsh, malware analyst, targeted attacks research, Kaspersky Lab.

The researchers found 48 different commands that can be implemented by attackers, allowing for maximum flexibility of use.

Further information, including a list of Skygofree’s commands, indicators of compromise, domain addresses and the device models targeted by the implant’s exploit modules can be found on securelist.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Enhance control rooms with surveillance and intelligence
Leaderware Editor's Choice Surveillance Mining (Industry)
Dr Craig Donald advocates the use of intelligence and smart surveillance to assist control rooms in dealing with the challenges of the size and dispersed nature common in all mining environments.

Read more...
A long career in mining security
Technews Publishing Editor's Choice Mining (Industry) Risk Management & Resilience
Nash Lutchman recently retired from a security and law enforcement career, initially as a police officer, and for the past 16 years as a leader of risk and security operations in the mining industry.

Read more...
A constant armed struggle
Technews Publishing XtraVision Editor's Choice Integrated Solutions Mining (Industry) IoT & Automation
SMART Security Solutions asked a few people involved in servicing mines to join us for a virtual round table and give us their insights into mine security today. A podcast of the discussion will be released shortly-stay tuned.

Read more...
Risk management: There's an app for that
Editor's Choice News & Events Risk Management & Resilience
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Read more...
Integrated information platform for risk management
Editor's Choice News & Events Risk Management & Resilience
Online Intelligence recently launched version 7 of its CiiMS risk and security platform. Speaking to SMART Security Solutions after the launch event, the company’s Arnold van den Bout described the enhancements in version 7.

Read more...
Unlocking Africa's AI potential
Editor's Choice News & Events AI & Data Analytics
Africa's AI market is set to grow exponentially; by investing in AI education, training, and ethical practices, African nations can harness the power of AI to transform the continent and create a brighter future for its people.

Read more...
The CIPC hack has potentially serious consequences
Editor's Choice Information Security
A cyber breach at the South African Companies and Intellectual Property Commission (CIPC) has put millions of companies at risk. The organisation holds a vast database of registration details, including sensitive data like ID numbers, addresses, and contact information.

Read more...
Global Identity Fraud Report revealing eight-month ‘mega-attack’
Editor's Choice Risk Management & Resilience
AU10TIX recently released its Q4 Global Identity Fraud Report, with the research identifying two never-before-seen attack patterns, with the worst case involving 22 000+ AI-generated variations of a single U.S. passport.

Read more...
Entries to southern Africa OSPA Awards now open
Technews Publishing Securex South Africa Editor's Choice News & Events
The southern Africa OSPAs are part of a global awards scheme that recognises and rewards teams, individuals and organisations for their commitment and outstanding performance within the security sector.

Read more...
Securex has moved to June
Technews Publishing Editor's Choice News & Events
Following the formal announcement of the date for South Africa’s national election, 29 May 2024 , which happened to be in the middle of the planned dates for Securex South Africa, Securex will now take place from 11 – 13 June 2024 at Gallagher Estate in Midrand.

Read more...