You are here

Skygofree: 'Worst ever' Android spyware infects Italians

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

At least two security firms are claiming to have discovered an exceptionally nasty new spyware strain.

Dubbed "Skygofree" by Kaspersky Lab, it can silently root an Android phone, record audio, spy on WhatsApp, and more. It was apparently created by an Italian company, Negg s.r.l., which seems to have sold it to government and law enforcement.

But now the cat’s out of the bag. In this week’s Security Blogwatch, we separate hyperbole from reality.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  Sippin' On Hip Hop 

[ Learn how to supercharge your behavioral analytics with CrowdStrike EDR in this April 28 Webinar. Plus: See TechBeacon's Guide to a Modern Security Operations Center ]

Android malware amps up

What’s the craic? John Leyden jars us awake:

Mobile malware strain Skygofree may be the most advanced Android-infecting nasties ever. … Active since 2014, [it] is spread through web pages mimicking leading mobile network operators and geared towards cyber-surveillance.

All the victims of the ongoing campaign detected so far have been located in Italy. [It] gives attackers full remote control of an infected device.

Skygofree has no connection to Sky, Sky Go or any other subsidiary of Sky.

Sounds bad. But is it? Thomas Fox-Brewster headlines it as One Of The 'Most Powerful' Android Spyware Tools Ever:

Italy is home to a remarkably bustling smartphone spyware industry. Hacking Team, [which] infamously hacked itself in 2015, somehow remains one of the bigger players. But there are others: IPS, Area IT and RCS to name a few. [There are] multiple references to Rome-based Negg in the [Skygofree] spyware's code.

Two sources with knowledge of the Italian surveillance scene said Negg was a small company that worked with prosecutors primarily in Italy. … The surveillance tool was being delivered via a handful of websites, including fake network update pages from different telecoms giants, including Three and Vodafone, all registered in 2015.

Who discovered it? Kaspersky’s Nikita Buchka and Alexey Firsh claim first dibs:

At the beginning of October 2017, we discovered new Android spyware with several features previously unseen. … We believe the initial versions of this malware were created at least three years ago.

The implant provides the ability to grab a lot of exfiltrated data, like call records, text messages, geolocation, surrounding audio, calendar events, and other … information stored on the device.

The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for [Android]. … There are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations.

O RLY? CSE CybSec CTO Pierluigi Paganini begs to differ:

The Skygofree spyware analyzed by Kaspersky today was first spotted by [ESET] researcher Lukas Stefanko … last year. … Kaspersky Lab have made the headlines because they have spotted a new strain.

The OPsec implemented by [Negg] is very poor. The name of the company is present in multiple references of the code. Not only [that], one of the domains used to control registered by the attacker is linked to [it].

The best way to prevent yourself from being a victim is to avoid downloading apps via third-party websites, app stores or links provided in SMS messages or emails.

So should shun shady sideloads? Copyy thatt, Rann Xeroxx: [You’re fired—Ed.]

It sounds like you have to side load this from … outside the google store. I fully support Android to continue side loading as I use it as well but maybe they need to put a lot more warnings and prompts before you can do it and make you turn it on for each app you do instead of leaving it on.

But sideloading is rather more difficult on an iPhone. Danny Palmer surveys the Trojan’s remarkable spying abilities:

Given the treasure trove of information a mobile device can provide to attackers, it's no surprise that those behind Skygofree put their main focus on Android -- especially given the chance it offers to track a user's movement and therefore activate attacks based on location.

Anyway, it sounds dead nasty. DigitAl56K agrees:

And let me guess, 90%+ of Android devices today will never receive updates that close all the exploits this thing takes advantage of.

Android: For when you want to receive only semi-regular security updates for only a handful of models from a few manufacturers for a few years tops.

But do we have any idea which Android phones are vulnerable? AmiMoJo does (kinda):

Actually no Android devices are vulnerable to this. You have to enable installing apps from your browser, download it, install it, and then agree to all the permissions it demands. It doesn't use an exploit to install itself, it uses social engineering with web pages made to look like legit ones offer app updates.

Meanwhile, brenbart waxes depressing:

Yup, the smartphone … is every bit the security nightmare we all knew it would be from the very beginning.

Anybody willing to give their phone up? Yeah, me neither.


The moral of the story? Make sure your Android users don’t fiddle with the “allow unknown sources” setting. And if they’ve been to Italy recently, maybe audit their devices?

And finally …

Thirsty?

 Sippin' On Hip Hop, by Eclectic Method


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: JD Hancock (cc:by)

[ GDPR, CCPA and privacy. TechBeacon's new guide rounds up what your team needs to know. Plus: Get the Best Practices for GDPR and CCPA Compliance white paper. ]

[ Explore the challenges and opportunities facing Security Operations Centers with TechBeacon's Guide. Plus: Get the State of SecOps Report ]