‘Advanced Android spyware only infects Italian targets’
Security firm Kaspersky has discovered a variant of Android spyware that it calls Skygofree. The malicious software would only infect targets in Italy and come from an IT company in that country. The malware has been active since 2014.
In its analysis, Kaspersky writes that the malware provides several advanced functions to obtain information about victims. There are a total of 48 commands, which the company lists in an appendix. Below that is the ‘geofence’ command, which turns on the microphone of an infected device once it arrives at a certain geographic location. The so-called implant can also steal various data such as clipboard contents, WhatsApp message database and other specific files. For example, it is also possible to set up a reverse shell or to obtain higher rights by using vulnerabilities, such as via TowelRoot.
The malware is said to be spread via simulated mobile carrier landing pages. There, targets are presented with a message that an update is required to prevent ‘malfunctions’. After the malware is downloaded and launched, the victim is shown a message that their configuration is receiving an update. The app icon then disappears and subsequent actions are also invisible to the user. There are several ways to control the implant once it is on a device. This can be done via http, xmpp, SMS and Firebase Cloud Messaging, according to Kaspersky.
A victim could be sent to such a landing page by, for example, connecting to a malicious Wi-Fi network. The malware also has a WiFi module on board, which configures a particular WiFi network on the device. If the victim comes close to it, the phone will connect automatically. According to Kaspersky, the malware has been active since late 2014 and 2015 was the year with the most activity. The last activity noted by the company was in October of last year. Based on its own statistics, Kaspersky has been able to determine that only targets in Italy are infected.
In addition, Italian comments and references to variants of the word “Negg” have been found in the code, which shares similarities with existing spyware variants. According to Forbes, that is an Italian company dedicated to providing security services. An anonymous source in the Italian surveillance world tells the site that the company may be collaborating with the police and “filling the void that Hacking Team has left behind.” Hacking Team is an Italian company that develops spy software and was hacked in 2015. In addition to the Android spyware, Kaspersky also found malware for Windows, which can be used, among other things, to record Skype conversations.
Timeline of malware development