KasperskyLab researchers informed the world that they had discovered a highly-advanced malware with the working name of ‘Skygofree’. Yet, after the code was thoroughly analysed, it turned out that the malware was not new at all. Its first functionalities date back to 2014. According to the researchers, the malicious app was initially only able to search a smartphone to find a WhatsApp database. It was, however, gradually “armed” over time, and in 2016 it was enhanced with a module for downloading various exploit opportunities. The attacker would then use them to attempt to raise its privileges to root. The exploits abused the CVE-2013-2094, CVE-2013-2595, CVE-2013-6282, CVE-2014-3153 (futex aka TowelRoot) and CVE-2015-3636 vulnerabilities. If an Android system exhibited any of the aforementioned vulnerabilities, the malware would hijack administrator privileges on the infected smartphone.
It should be emphasized that the malware was extremely professionally programmed and its method of operation could be compared to a Swiss army knife. It is enough to just send a simple command in order to execute a wide range of intelligence gathering operations on the infected smartphone. Here are some examples:
- “geofence” – if a user got to a location indicated by the attacker, the malware triggered the microphone built into the smartphone
- “social” – a command used to capture databases of such apps as Messenger, Facebook, WhatsApp or Gmail
- “wifi” – connecting to a WiFi network with the specified parameters (if the device is in range). Most likely this function was used as an element of carefully conducted Man-in-the-middle (MITM) audio monitoring.
- “camera” – this command triggered recording or taking a photo with the device’s front camera, immediately after the smartphone was unlocked by the user.
…and many other “services”, which enabled, among others, capturing SMS messages, reading calendar information etc. Italian comments in the code and the high code quality may bring to mind associations with the famous Hacking Team group, which is known to have developed spyware for various governments. The malware spreading method is not fully known, but it most probably exploits fake sites of trusted operators (e.g., Vodafone), where the visitors were asked to install an app accelerating connection with the operator.
—
Do you need cybersecurity solutions for your company – contact us.
