google-site-verification: google30a059f9a075f398.html

Round-up: Advanced surveillance tools on Android with Skygofree, a powerful spyware

CyberWisdom Safe Harbor Commentary:

This story from csoonline.com calls out a revealing story that security researchers have released one of the most powerful and sophisticated spyware tools that enables hackers to remotely control infected devices.


Android spyware, known as Skygofree, was designed for targeted monitoring and is believed to have targeted a large number of users for the past four years.

As of last October, Skygofree became a sophisticated multi-phased spyware tool that allowed attackers to take full advantage of remote shell payload and command and control (C & C) server architectures to fully control infected devices.

According to the technical details released by the researchers, Skygofree includes multiple exploits to enhance root access, giving it the ability to perform the most complex payloads on infected Android devices.
skygofree-Android Malware WhatsApp
One such payload allows the implant to execute a shellcode and steal data belonging to other applications installed on the target device, including Facebook, WhatsApp, Line and Viber.

The researchers said: “There are a number of special features: using multiple attacks to gain root privileges, complex payload structures, and monitoring capabilities never before seen.

Skygofree’s Control (C & C) server also allows attackers to remotely capture images and videos, capture call logs and text messages, and monitor users’ geolocation, calendar events, and any information stored in the device’s memory.

In addition, Skygofree also enables man-in-the-middle attacks by recording audio through microphones while the infected device is in a specific location and forcing the infected device to connect to a threatened Wi-Fi network controlled by an attacker.

Kaspersky discovered several Italian equipment that infected Skygofree, claiming it to be one of the most powerful and advanced mobile implants ever.

Although the security company did not confirm the name of the Italian company behind the spyware, it found several references to the Roman technology company “Negg” in the spyware code. Negg also specializes in the development and trading of legitimate hacking tools.
The best way to prevent yourself from becoming a victim is to avoid downloading the application through a third-party website, an app store, or a link provided via SMS or email.

 CSOOline added:

The “social” command allows files from any other installed app to be captured. Kaspersky gives examples of how it steals Facebook data, Facebook messenger, WhatsApp, Viber and LINE for free calls and messages. The payload targeting WhatsApp messenger uses the Android Accessibility Service to grab WhatsApp text messages.

The Android implant has a camera command that is triggered to record video or capture a photo when the device is unlocked. It includes other spyware capabilities such as grabbing call records, text messages, tracking location, snatching calendar events, recording surrounding audio and snagging other information stored on the device; there’s also a command to create a new Wi-Fi connection to connect to the attackers’ network.

Read more…

Researchers at Kaspersky uncovered “one of the most powerful” Android spyware tools that it has ever seen; the tool is considered powerful due, in part, to advanced surveillance capabilities that have previously never been seen in the wild.Dubbed Skygofree, due to the word being used in one of its domains, Kaseprsky said the malware has “multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations.”To read this article in full, please click here… Engaging post, Read More…

thumbnail courtesy of csoonline.com

Security Affair added:

“Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.”

In this post, I’ll show you that the malware was first found by the security researcher at ESET Lukas Stefanko and the first detailed analysis of the spyware (titled “Malware Analysis Report: Fake 3MobileUpdater“) was published by the experts at the CSE Cybsec ZLab.

According to Kaspersky, Skygofree has being distributed through fake web pages mimicking leading mobile network operators. The attackers registered some of the domains used in the attack since 2015.

The most recently observed domain was registered on October 31, 2017, according to Kaspersky data the malicious code was used against several infected individuals, exclusively in Italy.

read more…

Technical Analysis: How Does this Skygofree Android Spyware Works 

Malware authors are using HTTP, XMPP, binary SMS, and FirebaseCloudMessaging protocols to control this malware.

Its uses around 48 different commands in a code to perform various malicious operations some of following.

  • geofence – used for record surrounding audio.
  • Social -command that starts the ‘AndroidMDMSupport’ service
  • wifi – this command creates a new Wi-Fi connection and establish a connection with attacker network
  • Camera – this command records a video/capture a photo

According to Kaspersky labs, this Android spyware implant developed with various stages and added many futures in each and every version.

The attacker also using reverse shell module that helps to connect to the command & control server.

Researchers also find an important payload binary that is capable of exploiting several known vulnerabilities and this payload binary added in 2016 according to the timestamp.

Once this malware download and unpacking, then it exploiting the some of dangerous known vulnerabilities and module attempts to get root privileges on the device.

CVE-2013-2094
CVE-2013-2595
CVE-2013-6282
                                      CVE-2014-3153 (futex aka TowelRoot)
CVE-2015-3636

Also, the exploit payload code shared many similar capabilities of public android rooting tools 

It also using a tool called busybox that provides several Linux tools in a single ELF file to steal the Whatsup encryption key

Skygofree using social payload to other installed social media applications such as facebook messenger, whatsup, viber, and Line.

read more on technical details:

Skygofree – Highly Sophisticated Android Spyware Discovered that Almost Steal Everything in Your Mobile

https://gbhackers.com/skygofree-android-spyware/Highly persistent Android Spyware called Skygofree discovered that has been developed with many advance futures to steal as many as data from victims and malware authors are keep adding many sophisticated Futures since 2014. Researchers found many malicious web pages that mimic as mobile operator page which is using for spreading this Android spyware and… Skygofree – Highly Sophisticated Android Spyware Discovered that Almost Steal Everything in Your Mobile

 

 

Powerful Skygofree spyware was reported in November by Lukas Stefanko and first analyzed by CSE CybSec

http://securityaffairs.co/wordpress/67815/malware/skygofree-surveillance-software.htmlThe Skygofree spyware analyzed by Kaspersky today was first spotted by the researcher Lukas Stefanko and the first analysis was published last year by the CSE Cybsec ZLab. Security researchers at Kaspersky Lab have made the headlines because they have spotted a new strain of a powerful Android spyware, dubbed Skygofree, that was used to gain full control… Powerful Skygofree spyware was reported in November by Lukas Stefanko and first analyzed by CSE CybSec

 

Skygofree — Powerful Android Spyware Discovered

https://thehackernews.com/2018/01/android-spying-malware.htmlSecurity researchers have unveiled one of the most powerful and highly advanced Android spyware tools that give hackers full control of infected devices remotely. Dubbed Skygofree, the Android spyware has been designed for targeted surveillance, and it is believed to have been targeting a large number of users for the past four years. Since 2014, the Skygofree implant has gained several… Skygofree — Powerful Android Spyware Discovered

 

If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post » Round-up: Advanced surveillance tools on Android with Skygofree, a powerful spyware

6 Comments