Security researchers from Kaspersky have discovered a piece of malware that could be the most powerful and advanced Android spyware tools that give hackers full control of infected devices.
Dubbed 'Skygofree' (named after one of the domains on which it was first found), the malware is a sophisticated multi-stage spyware tool that gives attackers full remote control of the infected device using a reverse shell payload and a command and control (C&C) server architecture.
What this means, it's capable of spying on infected Android devices, and remotely doing anything on them.
The malware is usually disguised as an app that promises to increase internet speed, downloadable from fake websites designed to resemble those of mobile carriers. Most of those fake websites have been registered by the attackers since 2015, the year when the distribution campaign was most active, according to Kaspersky's telemetry data.
Once installed, it hides its icon and starts background services to conceal further actions from the user.
It also includes a self-protection feature which prevents services from being killed.
According to the technical details published by researchers, Skygofree includes multiple exploits to escalate privileges for root access, granting it the ability to execute most sophisticated payloads on the infected Android devices.
The damages Skygofree can do to infected devices, include:
- Tracking the device’s location, including the ability to record audio at specified locations.
- Forcing the device to connect to a malicious Wi-Fi network controlled by the attackers to enable man-in-the-middle attacks.
- Read data from other installed apps on the devices, including from Facebook, WhatsApp, LINE, and Viber, by going through Android’s Accessibility Services.
- Also using Android's Accessibility Service, it can get information directly from the displayed elements on the screen.
- Access the device's front-facing camera to take a picture.
- Intercept calls, SMS messages, calendar entries, and any other information stored in the device's memory.
"There are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, [and] never-before-seen surveillance features," the researchers said.
The Android spyware has been designed for targeted surveillance. The researchers believed that it has been targeting a large number of Android users since 2014.
It was said that the tool originated in Italy, which is also the home for the infamous 'Hacking Team', one of the world's bigger players in spyware trading.
"Given the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like HackingTeam," said the researchers in their report.
Kaspersky didn't release the name of the Italian company behind the spyware, but it said that the researchers have found several references to Rome-based technology company "Negg" in the spyware's code.
Negg specialized in developing and trading legal hacking tools.
For Android users, they can protect themselves from Skygofree by avoiding installing apps from sources they are not familiar with. Stick with downloading things from Google's Play Store, and use recent versions of Android.
Also, caution is needed when installing apps that promise to boost internet speed for free.