CyberWisdom Safe Harbor Commentary:
Researchers at Kaspersky uncovered “one of the most powerful” Android spyware tools that it has ever seen; the tool is considered powerful due, in part, to advanced surveillance capabilities that have previously never been seen in the wild.Dubbed Skygofree, due to the word being used in one of its domains, Kaseprsky said the malware has “multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations.”To read this article in full, please click here… Engaging post, Read More…
thumbnail courtesy of csoonline.com
Security Affair added:
“Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.”
In this post, I’ll show you that the malware was first found by the security researcher at ESET Lukas Stefanko and the first detailed analysis of the spyware (titled “Malware Analysis Report: Fake 3MobileUpdater“) was published by the experts at the CSE Cybsec ZLab.
According to Kaspersky, Skygofree has being distributed through fake web pages mimicking leading mobile network operators. The attackers registered some of the domains used in the attack since 2015.
The most recently observed domain was registered on October 31, 2017, according to Kaspersky data the malicious code was used against several infected individuals, exclusively in Italy.
Technical Analysis: How Does this Skygofree Android Spyware Works
Malware authors are using HTTP, XMPP, binary SMS, and FirebaseCloudMessaging protocols to control this malware.
Its uses around 48 different commands in a code to perform various malicious operations some of following.
- geofence – used for record surrounding audio.
- Social -command that starts the ‘AndroidMDMSupport’ service
- wifi – this command creates a new Wi-Fi connection and establish a connection with attacker network
- Camera – this command records a video/capture a photo
According to Kaspersky labs, this Android spyware implant developed with various stages and added many futures in each and every version.
The attacker also using reverse shell module that helps to connect to the command & control server.
Researchers also find an important payload binary that is capable of exploiting several known vulnerabilities and this payload binary added in 2016 according to the timestamp.
Once this malware download and unpacking, then it exploiting the some of dangerous known vulnerabilities and module attempts to get root privileges on the device.
CVE-2014-3153 (futex aka TowelRoot)
Also, the exploit payload code shared many similar capabilities of public android rooting tools
It also using a tool called busybox that provides several Linux tools in a single ELF file to steal the Whatsup encryption key
Skygofree using social payload to other installed social media applications such as facebook messenger, whatsup, viber, and Line.
read more on technical details:
Skygofree – Highly Sophisticated Android Spyware Discovered that Almost Steal Everything in Your Mobile
Highly persistent Android Spyware called Skygofree discovered that has been developed with many advance futures to steal as many as data from victims and malware authors are keep adding many sophisticated Futures since 2014. Researchers found many malicious web pages that mimic as mobile operator page which is using for spreading this Android spyware and… Skygofree – Highly Sophisticated Android Spyware Discovered that Almost Steal Everything in Your Mobile
Powerful Skygofree spyware was reported in November by Lukas Stefanko and first analyzed by CSE CybSec
The Skygofree spyware analyzed by Kaspersky today was first spotted by the researcher Lukas Stefanko and the first analysis was published last year by the CSE Cybsec ZLab. Security researchers at Kaspersky Lab have made the headlines because they have spotted a new strain of a powerful Android spyware, dubbed Skygofree, that was used to gain full control… Powerful Skygofree spyware was reported in November by Lukas Stefanko and first analyzed by CSE CybSec
Skygofree — Powerful Android Spyware Discovered
Security researchers have unveiled one of the most powerful and highly advanced Android spyware tools that give hackers full control of infected devices remotely. Dubbed Skygofree, the Android spyware has been designed for targeted surveillance, and it is believed to have been targeting a large number of users for the past four years. Since 2014, the Skygofree implant has gained several… Skygofree — Powerful Android Spyware Discovered
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post »