A new spyware tool has been discovered by security firm Kaspersky Lab, dubbed “Skygofree.” The software is capable of infecting Android devices and can track the location of the user, record audio files, and upload sensitive data stored in the device like calendar entries, text messages, and Whatsapp conversations. Researchers from the security firm discovered the spyware after observing a number of landing pages that mimic actual websites of local network operators in Italy. The company notes that all of the affected users are in Italy, and it is likely that most of them were infected back in 2015. However, researchers note that the development of the spyware is still continuing, suggesting some individuals may have been infected only recently.
A total of eight background services are initiated by Skygofree once it is launched. In addition, the spyware hides an icon and pushes a welcome notification to the user. Some of the background services initiated by the malware can record audio clips, access and steal data stored in the operating system’s clipboard used for copy-paste actions, and track location. Moreover, the malware initiates the AndroidFileManager service, allowing the software to upload all data it mined from the device. The malware can also take advantage of the Command and Control (C&C) protocol, and the attackers can send commands to the smartphone infected by the spyware through the use of HTTP, SMS, or even Google’s own Firebase Cloud Messaging protocol. One of the commands that the attacker can send is the ‘geofence’ one which instructs the handset to start recording audio once the user is in a specific location
Given the complexity of the software and its exploitation of multiple operating system vulnerabilities, researchers from Kaspersky described the Skygofree malware as one of the “most powerful spyware tools” they ever encountered. It is likely that the software was developed by an Italian IT company that specializes in surveillance, according to the security firm. However, Kaspersky mentioned that it had only observed ten individuals who have been affected by the vulnerability. To prevent being affected by the spyware, Kaspersky advises users to stay clear of unfamiliar websites and regularly run anti-malware tools on their smartphones.
