Skygofree malware reminiscent of Hacker Team
Skygofree malware reminiscent of Hacker Team

Kaspersky Lab researchers analyzed what they described as one of the most powerful Android malware believed to be designed by an Italian IT company that works on surveillance solutions, similar to Hacking Team.

Dubbed Skygofree, researchers believe the malware is the result of a long term development process that began at least three years ago at the end of 2014, according to a Jan 16, blog post.

In October 2017, researchers discovered the new variant displaying features previously unseen in the wild such as the ability to record surrounding audio in specified locations, the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.

The malware also featured other advanced abilities including the usage of multiple exploits for gaining root privileges, a complex payload structure, and the ability to grab a lot of exfiltrated data such as call records, text messages, geolocation, surrounding audio, calendar events, and other memory information stored on the device.

The threat actors also paid special attention to the work of the malware on Huawei devices as the malware is able to determine when it is running on one of the devices and adapts accordingly. Researchers also spotted several related spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine.

Researchers said the code and functionality of the malware has changed numerous times from simple unobfuscated malware to sophisticated multi-stage spyware that gives attackers full remote control of the infected device. 

Once infected, threat actors have the ability to control the malware via HTTP, XMPP, binary SMS and FirebaseCloudMessaging (or GoogleCloudMessaging in older versions) protocols.

Skygofree also features a reverse shell which is an external ELF file compiled by the attackers to run on Android, an exploit payload which looks to exploit several known vulnerabilities and escalate privileges, a Busybox Payload, a social payload, and a parser payload.  

“With a long history of governments trying to eavesdrop through WhatsApp or break its encryption, the sophistication of this malware is far above common criminal-level,” Rod Soto, director of security research at JASK told SC Media. “The app allows for true end-to-end encryption – making it a good tool for private communications. As such, it has been abused by criminals.”

 Soto said the new malware tries to intercept communications at the origin or destination level by using Android hacking tools that compromise content as it is being produced or read. The threat actors then use the phone's root privileges to read and extract messages and content that is encrypted.

“These indicators lead me to believe that this is the work of professional criminals – possibly state-sponsored – or some actor that has skills above the average criminal,” Soto added.

Kaspersky researchers said given the malware's infrastructure analysis they are pretty confident the developer is following in the footsteps of the infamous Hacker Team.