Mobile

1/16/2018
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Kaspersky Lab Warns of Extremely Sophisticated Android Spyware Tool

Skygofree appears to have been developed for lawful intercept, offensive surveillance purposes.

An Italian IT company has been using spoofed web pages to quietly distribute an extremely sophisticated Android spyware tool for conducting surveillance on targeted individuals since sometime in 2015.

In an advisory Tuesday, security vendor Kaspersky Lab described the tool, named Skygofree, as containing location-based audio recording capabilities and other functionality never before seen in the wild.

Available telemetry suggests the multi-stage spyware was first developed in 2014 and has been in continuous development since then. The Android implant gives attackers the ability to take complete administrative control of infected devices and to snoop in on conversations and nearby noises when the device enters specific locations, Kaspersky Lab said.

Skygofree is also designed to steal WhatsApp messages via Android's Accessibility Services and to connect infected devices to attacker-controlled Wi-Fi networks. Its other capabilities include the ability to surreptitiously take videos and pictures, steal call records and SMS messages, and grab geolocation data, calendar events, and other information from infected devices.

Interestingly, the spyware tool has the ability to add itself to the list of protected Android apps on an infected device so it doesn't get automatically shut down when the screen is turned off.

In total, Skygofree supports 48 different commands that attackers can use to execute various malicious actions on an infected device. Attackers can control the malware using HTTP, binary SMS messages, the Extensible Messaging and Presence Protocol (XMPP), and FirebaseCloudMessaging services, according to Kaspersky Lab.

The same IT firm that developed the malware also appears to be distributing it, says Alexey Firsh, malware analyst at Kaspersky Lab. The firm has been using web pages spoofed to appear like they belong to leading mobile network providers to deliver the malware on Android devices.

The first spoofed landing pages were registered in 2015. The most recent domain was registered last October suggesting the distribution campaign is still active. "Based on the infrastructure analysis we believe that it was set up by the same commercial entity which is believed to be behind the malware itself," Firsh says.

Following the Kaspersky Lab advisory, the domain Whois Record was edited, suggesting the Italian firm is now trying to cover its tracks, he noted.

Available information shows that the targets of the attacks so far have been all Italian-speaking individuals. What remains unclear is how exactly victims arrive at the spoofed landing pages from where the malware is being distributed.

"It could be some kind of malicious redirect or targeted phishing with a link," Firsh says. "We don’t know exactly, but these phishing sites were not public-forced and [a] user that is reading news or watching funny videos could not just get to these pages," by accident, he says.

Identifying and blocking high-end mobile malware such as Skygofree can be extremely challenging given their complex payload structure and native code binaries, Firsh says. Another big challenge is the relatively small number of people that get targeted with this kind of tool, making it hard for security researchers to get their hands on them.

Kaspersky Lab has not identified the developer of Skygofree by name. But the IT firm behind the spyware appears to be similar to other providers of so-called lawful intercept software such as the Milan-based HackingTeam, FinFisher of Munich, and RCS Lab of Milan. Law enforcement and spy outfits from around the world use software from companies such as these to conduct surveillance and pursue investigations.

Research firm MarketsandMarkets last year estimated that worldwide demand for law intercept tools would top $1.3 billion by 2019.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
Lessons from My Strange Journey into InfoSec
Lysa Myers, Security Researcher, ESET,  7/12/2018
What's Cooking With Caleb Sima
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14339
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the MMSE dissector could go into an infinite loop. This was addressed in epan/proto.c by adding offset and length validation.
CVE-2018-14340
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, dissectors that support zlib decompression could crash. This was addressed in epan/tvbuff_zlib.c by rejecting negative lengths to avoid a buffer over-read.
CVE-2018-14341
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the DICOM dissector could go into a large or infinite loop. This was addressed in epan/dissectors/packet-dcm.c by preventing an offset overflow.
CVE-2018-14342
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the BGP protocol dissector could go into a large loop. This was addressed in epan/dissectors/packet-bgp.c by validating Path Attribute lengths.
CVE-2018-14343
PUBLISHED: 2018-07-19
In Wireshark 2.6.0 to 2.6.1, 2.4.0 to 2.4.7, and 2.2.0 to 2.2.15, the ASN.1 BER dissector could crash. This was addressed in epan/dissectors/packet-ber.c by ensuring that length values do not exceed the maximum signed integer.