Categories: spyware

Skygofree – Highly Sophisticated Android Spyware Discovered that Almost Steal Everything in Your Mobile

Highly persistent Android Spyware called Skygofree discovered that has been developed with many advance futures to steal as many as data from victims and malware authors are keep adding many sophisticated Futures since 2014.

Researchers found many malicious web pages that mimic as mobile operator page which is using for spreading this Android spyware and those pages are registered by an attacker since 2015 and most recent domain registered in 2017.

This Malware has some dangerous stealing functions such as record audio surroundings via the microphone when an infected device is in a specified location, stealing of WhatsApp messages via Accessibility Services also it can enter into an infected wifi network.

Since the beginning of this malware evolution, its future keep changing many times and every time malware authors added many advance functionality and obfusticated techniques.

Some of the other versions of this malware also detected which has some extreme capability such as exfiltrate the data, like call records, text messages, geolocation, surrounding audio, calendar events, and other memory information stored on the device.

Also Read: Self-Destructive KillDisk Malware Overwrites then Deletes files and Force a Reboot

How Does this Skygofree Android Spyware Works

Malware authors are using HTTP, XMPP, binary SMS, and FirebaseCloudMessaging protocols to control this malware.

Its uses around 48 different commands in a code to perform various malicious operations some of following.

  • geofence – used for record surrounding audio.
  • Social -command that starts the ‘AndroidMDMSupport’ service
  • wifi – this command creates a new Wi-Fi connection and establish a connection with attacker network
  • Camera – this command records a video/capture a photo

According to Kaspersky labs, this Android spyware implant developed with various stages and added many futures in each and every version.

The attacker using reverse shell module that helps to connect to the command & control server.

Researchers  find an important payload binary that is capable of exploiting several known vulnerabilities and this payload binary added in 2016 according to the timestamp.

Once this malware download and unpacking, then it exploiting the some of dangerous known vulnerabilities and module attempts to get root privileges on the device.

CVE-2013-2094
CVE-2013-2595
CVE-2013-6282
                                      CVE-2014-3153 (futex aka TowelRoot)
CVE-2015-3636

The exploit payload code shared many similar capabilities of public android rooting tools 

It also using a tool called busybox that provides several Linux tools in a single ELF file to steal the Whatsup encryption key

Skygofree using social payload to other installed social media applications such as facebook messenger, whatsup, viber, and Line.

According to Trend Micro, As mentioned, we observed a payload that exclusively targets the WhatsApp messenger and it does so in an original way. The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages.

Aslo researchers found multiple components that form an entire spyware system for the Windows platform.

These windows components also having some advance stealing futures such as sending data, keylogging, screenshot capturing and recording Skype calls.

Researchers believes that the Skygofree Android implant is one of the most powerful spyware tools As a result of the long-term development process, there are multiple, exceptional capabilities.

You can download a complete Indicators of Compromise Skygofree IOC.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

1 day ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

3 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

3 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago