TACTICAL CYBER INTELLIGENCE REPORT
Actor Type: II
Serial: TR-18-033-001
Countries: CN, IN
Report Date: 20180119
Skygofree – A Powerful Android Spyware
Researchers have unveiled a powerful spyware variant that provides attackers complete control of the target device remotely. The malware was first seen in 2014. It has evolved over time, from simple un-obfuscated malware in the beginning, to sophisticated multi-stage spyware that provides attackers full remote control of the infected device.
Feature Set
Some of the Spyware features include:
- Recording audio, using device microphone
- Taking pictures secretly using front and back camera
- Accessing call logs, contacts, calendar events and SMS messages
- Monitoring popular applications like Facebook Messenger, WhatsApp, Viber and Skype
- Reading WhatsApp messages using Accessibility Services
- Leveraging a reverse shell payload which can connect to a server to give real time control of device to the attackers
- Gaining root privileges using accounts
- Clipboard stealing
- Location tracking and movement detection
- Forced connection to particular Wi-Fi networks
- Remote command and control
The spyware hides the app icon and installs various services to remain undetected by the user. [1]
The malware has modules which allow it to update itself with new features.
How to check if you are infected?
The current malware sample shows itself as “System Update” in search results.
If you launch the app, it starts running in the background but removes its own icon to give you the impression that the “update” has finished. The app still shows up on the System -> Apps page, where you can stop it and uninstall it.
Mitigation and Prevention strategies
Following steps should be taken by customer to avoid infections by such malware:
- Install apps only from Play Store
- Use Android antivirus
- Don’t trust system updates offered by third parties
- If you are unsure about an app - don’t install it
- Disable, “Allow installation of apps from Unknown Sources”
Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com.
[1] https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/
Comments