Thursday, March 28, 2024

Skygofree – Highly Sophisticated Android Spyware Discovered that Almost Steal Everything in Your Mobile

Highly persistent Android Spyware called Skygofree discovered that has been developed with many advance futures to steal as many as data from victims and malware authors are keep adding many sophisticated Futures since 2014.

Researchers found many malicious web pages that mimic as mobile operator page which is using for spreading this Android spyware and those pages are registered by an attacker since 2015 and most recent domain registered in 2017.

This Malware has some dangerous stealing functions such as record audio surroundings via the microphone when an infected device is in a specified location, stealing of WhatsApp messages via Accessibility Services also it can enter into an infected wifi network.

Since the beginning of this malware evolution, its future keep changing many times and every time malware authors added many advance functionality and obfusticated techniques.

Some of the other versions of this malware also detected which has some extreme capability such as exfiltrate the data, like call records, text messages, geolocation, surrounding audio, calendar events, and other memory information stored on the device.

Also Read: Self-Destructive KillDisk Malware Overwrites then Deletes files and Force a Reboot

How Does this Skygofree Android Spyware Works 

Malware authors are using HTTP, XMPP, binary SMS, and FirebaseCloudMessaging protocols to control this malware.

Its uses around 48 different commands in a code to perform various malicious operations some of following.

  • geofence – used for record surrounding audio.
  • Social -command that starts the ‘AndroidMDMSupport’ service
  • wifi – this command creates a new Wi-Fi connection and establish a connection with attacker network
  • Camera – this command records a video/capture a photo

According to Kaspersky labs, this Android spyware implant developed with various stages and added many futures in each and every version.

The attacker using reverse shell module that helps to connect to the command & control server.

Researchers  find an important payload binary that is capable of exploiting several known vulnerabilities and this payload binary added in 2016 according to the timestamp.

Once this malware download and unpacking, then it exploiting the some of dangerous known vulnerabilities and module attempts to get root privileges on the device.

CVE-2013-2094
CVE-2013-2595
CVE-2013-6282
                                      CVE-2014-3153 (futex aka TowelRoot)
CVE-2015-3636

The exploit payload code shared many similar capabilities of public android rooting tools 

It also using a tool called busybox that provides several Linux tools in a single ELF file to steal the Whatsup encryption key

Skygofree using social payload to other installed social media applications such as facebook messenger, whatsup, viber, and Line.

According to Trend Micro,  As mentioned, we observed a payload that exclusively targets the WhatsApp messenger and it does so in an original way. The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages.

Aslo researchers found multiple components that form an entire spyware system for the Windows platform.

These windows components also having some advance stealing futures such as sending data, keylogging, screenshot capturing and recording Skype calls.

Researchers believes that the Skygofree Android implant is one of the most powerful spyware tools As a result of the long-term development process, there are multiple, exceptional capabilities.

You can download a complete Indicators of Compromise Skygofree IOC.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles