Highly persistent Android Spyware called Skygofree discovered that has been developed with many advance futures to steal as many as data from victims and malware authors are keep adding many sophisticated Futures since 2014.
Researchers found many malicious web pages that mimic as mobile operator page which is using for spreading this Android spyware and those pages are registered by an attacker since 2015 and most recent domain registered in 2017.
This Malware has some dangerous stealing functions such as record audio surroundings via the microphone when an infected device is in a specified location, stealing of WhatsApp messages via Accessibility Services also it can enter into an infected wifi network.
Since the beginning of this malware evolution, its future keep changing many times and every time malware authors added many advance functionality and obfusticated techniques.
Some of the other versions of this malware also detected which has some extreme capability such as exfiltrate the data, like call records, text messages, geolocation, surrounding audio, calendar events, and other memory information stored on the device.
How Does this Skygofree Android Spyware Works
Malware authors are using HTTP, XMPP, binary SMS, and FirebaseCloudMessaging protocols to control this malware.
Its uses around 48 different commands in a code to perform various malicious operations some of following.
- geofence – used for record surrounding audio.
- Social -command that starts the ‘AndroidMDMSupport’ service
- wifi – this command creates a new Wi-Fi connection and establish a connection with attacker network
- Camera – this command records a video/capture a photo
According to Kaspersky labs, this Android spyware implant developed with various stages and added many futures in each and every version.
The attacker using reverse shell module that helps to connect to the command & control server.
Researchers find an important payload binary that is capable of exploiting several known vulnerabilities and this payload binary added in 2016 according to the timestamp.
Once this malware download and unpacking, then it exploiting the some of dangerous known vulnerabilities and module attempts to get root privileges on the device.
CVE-2014-3153 (futex aka TowelRoot)
The exploit payload code shared many similar capabilities of public android rooting tools
It also using a tool called busybox that provides several Linux tools in a single ELF file to steal the Whatsup encryption key
Skygofree using social payload to other installed social media applications such as facebook messenger, whatsup, viber, and Line.
According to Trend Micro, As mentioned, we observed a payload that exclusively targets the WhatsApp messenger and it does so in an original way. The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages.
Aslo researchers found multiple components that form an entire spyware system for the Windows platform.
These windows components also having some advance stealing futures such as sending data, keylogging, screenshot capturing and recording Skype calls.
Researchers believes that the Skygofree Android implant is one of the most powerful spyware tools As a result of the long-term development process, there are multiple, exceptional capabilities.
You can download a complete Indicators of Compromise Skygofree IOC.