Researchers have discovered an advanced form of spyware affecting Android devices that has been active since 2014.
The researchers, from Kaspersky Lab, say it is a mobile implant, which has been designed for targeted cyber surveillance – potentially as an “offensive security product”.
Named Skygofree, the implant has functionality that the researchers say has never been seen in the wild before, including location-based audio recording through infected devices. They discovered that it is spread through web pages mimicking leading mobile network operators.
Skygofree gives attackers full remote control of an infected device, and has undergone continuous development since the first version was created at the end of 2014. It also allows Accessibility Services to steal WhatsApp messages and gives hackers the ability to connect an infected device to WiFi networks controlled by them.
The researchers have discovered that the implant carries “multiple exploits for root access”, while also being capable of taking pictures and videos and seizing call records, SMS, geolocation, calendar events and business-related information stored in the device’s memory.
It also comes with a special feature that enables it to circumvent a battery-saving technique implemented by a top device manufacturer. It has been discovered that the implant adds itself to the list of ‘protected apps’ so it will not be switched off automatically when the screen is off.
Alexey Firsh, malware analyst in targeted attacks research at Kaspersky Lab, said: “High-end mobile malware is very difficult to identify and block, and the developers behind Skygofree have clearly used this to their advantage: creating and evolving an implant that can spy extensively on targets without arousing suspicion.
“Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions, rather like HackingTeam.”