In an advisory last week, Kaspersky Lab described a new Android spyware tool, it is calling Skygofree, which possesses various features unseen before in the wild. The security firm noted a long-term development process. Since the end of 2014, the company behind it has been using spoofed web pages to distribute a highly sophisticated Android spyware tool to carry out surveillance on targeted individuals. The implant’s functionality has been gradually developed across that time, so that it has various extraordinary James Bond type spyware abilities. For instance, it can record audio surroundings via the microphone when an infected device is in a particular location; it can connect an infected device to Wi-Fi networks controlled by cybercriminals; and steal encrypted WhatsApp messages via Accessibility Services.
The spyware tool can add itself to the list of protected Android apps on an infected device in order that it doesn’t get automatically shut down when the screen is turned off.
Skygofree supports 48 different commands in total, which attackers can deploy to execute malicious actions on an infected device. Remote threat actors can control the malware using HTTP, binary SMS messages, the Extensible Messaging and Presence Protocol (XMPP), and FirebaseCloudMessaging services, according to Kaspersky Lab.
Kaspersky notes that the domains for the spoofed web landing pages have been registered since 2015, which appears to be the year in which the distribution campaign was at its busiest. However, the spyware activities continue and the last domain registered was in October 2017.
It is unclear how many victims arrive at the fake landing pages from which the malware is distributed.
“It could be some kind of malicious redirect or targeted phishing with a link,” Alexey Firsh, Malware Analyst at Kaspersky Labs says. “We don’t know exactly, but these phishing sites were not public-forced and [a] user that is reading news or watching funny videos could not just get to these pages,” by accident, he says.
Based on Kaspersky’s KSN activities, they found that the targets are exclusively in Italy. Kaspersky says, “Given the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like Hacking Team.”
Hacking Team is a so-called lawful intercept software based in Milan, Italy. Other similar software developers include RCS Lab of Milan and FinFisher of Munich. Spy outfits and law enforcement agencies worldwide use software from these developers to conduct surveillance and carry out investigations.
Hacking Team has experienced various challenges across its founding in 2003. In 2015, it was attacked by a hactivist and its emails were leaked across the web. The investigation into the culprit is ongoing. In 2016, the Italian Ministry of Economic Development (MISE) revoked its global license. Its CEO David Vincenezetti is under investigation for some of the deals he made overseas. Hacking Team has frequently been the target of activists for its role in selling to nations with poor records on human rights, such as Egypt, Ethiopia, Russia and Vietnam. Hacking Team also has a contract with the FBI and the Drug Enforcement Administration (DEA) in the US.
Research firm MarketsandMarkets estimated last year that global demand for law intercept tools would hit $1.3 billion by 2019.