Researchers recently came across a piece of Trojan that deserves lots of attention due to its highly sophisticated spying capabilities. The Trojan is named Skygofree, after one of the domains it used, and its target is Android. Skygofree was discovered and analyzed by Kaspersky Labs, and “is overflowing with functions”, some of which unseen anywhere else.
One of these unique features is its capability is to track the location of the compromised device and turn on audio recording when the owner is at a specific location. What does this mean? Attackers can start eavesdropping on victims in a highly targeted manner according to their location – like the office or the home of a high profile CEO.
Skygofree Android Trojan – Technical Overview
Besides the highly targeted location tracking, the Trojan can connect an infected device (smartphone or tablet) to a Wi-Fi network controlled by the hackers. And this can happen despite the device’s disabled Wi-Fi connection! Once the device is connected, the victim’s traffic can be collected and analyzed by the attackers, and this information can be exploited in further ways. Visited websites, logins, passwords, and financial details can be compromised.
And that’s far from all. The Trojan can operate in a standby mode meaning that Skygofree can manipulate Android’s functionalities. The latest version of the mobile OS can automatically stop inactive process to save battery power, but the Trojan can evade this feature by sending system notifications. Moreover, on popular smartphones where all apps except for favorites are stopped when the screen is turned off, Skygofree adds itself automatically to the favorites list, researchers add.
Skygofree Android Trojan Malicious Capabilities
The Skygofree Trojan is also capable of monitoring mobile apps such as Facebook Messenger, Skype, WhatsApp and Viber. The Trojan can specifically read WhatsApp messages through Accessibility Services, which researchers say is a kind of a digital eye that reads whatever is displayed on the screen. And if abused by attackers, this can be very dangerous. “Using Accessibility Services requires the user’s permission, but the malware hides the request for permission behind some other, seemingly innocent, request,” researchers add.
Furthermore, the Trojan can covertly turn on the front camera of the device to take shots in the time the user unlocks the device. In addition to everything described so far, Skygofree can also:
- Intercept calls and SMS messages;
- Collect calendar entries and other types of personal user data.
Researchers detected the malware at the end of 2017, but the analysis showed that hackers have been using and improving it since 2014. For these three years, it has turned into an evolved, multifunctional spyware that can intrude on the user in various unbelievable ways.
Skygofree Android Trojan Distribution Techniques
The Trojan is spread with the help of fake mobile operator websites which it uses to conceal itself. The malware poses as an update to improve mobile Internet speed. In case the potential victim is tricked by this promise and downloads the Trojan, it will display a notification that setup is in progress. Then it will conceal itself from the user and will request instructions from the command and control server. Later it can download various payloads according to the response. The payloads fit various occasions meaning that victims can be affected in the most unexpected ways.
Needless to say, to avoid infection by Skyfogree, users should be extra careful with the apps they download on their Android devices. It is highly advisable to pay attention to the smallest of details, even spelling mistakes in the names of the Apps, as these apps speak volumes about the app’s authenticity.