Another Italian Job: “One of the Most Powerful” Android Spyware Tools Discovered [Steals WhatsApp Messages]
Stories around Android malware and spyware shock no one anymore. It's become like a routine to see a new malware strain or a security problem targeting Android users every other week. However, things aren't always so "routine". While most of these attacks happen due to third party apps or marketplaces, when the sophisticated threat actors are involved in the process, things get scary serious.
Hacking Team was probably one of the first companies making Italy popular for selling spyware and surveillance tools to governments, including authoritarian regimes, enabling them to target dissidents, journalists and politicians. The firm rose to an international notoriety for its extremely sophisticated spying toolkits that targeted even the world's most secure devices and software.
Apparently, the company isn't the only Italian firm working on surveillance solutions. A new report published by the Russian cybersecurity firm, Kaspersky Lab, reveals that another Italian IT company has developed one of the "most powerful spyware tools" that the security researchers have seen targeting Android. The toolkit has several exploits that enable attackers to gain root privileges, record audio in specified locations, and do a lot more.
Development on "Skygofree" Android spyware started in 2014
While researchers may have discovered this now, they wrote that the development likely started on this back in 2014. Kaspersky first discovered this toolkit in October 2017 and has said that since 2014, the firm has been adding new powers to the toolkit. Naming it Skygofree (based on one of the domains), security researchers wrote that the surveillance toolkit is capable of snooping through novel methods.
For example, attackers can snoop into WhatsApp messages using Google's Accessibility Services. "The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages," they wrote. While this would require a user's permission, it would display phishing text to obtain such permission from the user.
The implant is also capable of connecting an infected device to WiFi networks that are controlled by the attackers.
[Skygofree's ] functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.
The company also appears to be working on Windows implants
Similar to many attacks, the process here also appears to start with phishing techniques. Targeted users are tricked into visiting sites that mimic trusted websites, like the target's mobile operator, to distribute this Android spyware. "These domains have been registered by the attackers since 2015," researchers said. "According to our telemetry, that was the year the distribution campaign was at its most active."
Along with Android, they also appear to be working on a Windows implant for exfiltrating sensitive data on a targeted machine. However, Kaspersky said they aren't sure if the Windows one is being used in the wild.
While the statistics show infected individuals in Italy, this multistage Android spyware could also be sold to governments or corporations elsewhere. The security firm hasn't named the Italian company, but wrote that based on the infrastructure analysis, they are "pretty confident" that an Italian IT company that works on surveillance solutions is behind Skygofree.
Since Kaspersky has mentioned Hacking Team, Skygofree probably isn't a problem for an average user. Most of these companies sell their toolkits to governments, law enforcement agencies, and rich corporations for targeted snooping. Even after GCHQ, NSA and Hacking Team hacks, leaks and PR disasters, it isn't likely we will ever see an end to lawful intercept despite these tools being largely used to target political opponents and activists.
- Technical details are available here.