Skygofree is newly identified malware that is reportedly one of the most advanced surveillance spyware ever seen. As per Moscow-based antivirus software maker Kaspersky Lab, this piece of Android and Windows malware comes with features "never before seen in the wild." This multistage malware is meant for surveillance, and reportedly enables attackers to carry out advanced snooping on Android, such as location-based audio recording, WhatsApp message theft, and connecting an infected device to Wi-Fi networks controlled by cybercriminals.
The new malware may be following the footsteps of the infamous hack in 2015 by Hacking Team, another Italy-based spyware developer. In a blog post on Securelist, Kaspersky has listed Skygofree's commands, indicators of compromise, domain addresses, as well as the device models targeted by the implant's exploit modules.
Researchers have named the new malware as Skygofree as the word was used in one of its domains. They say that the attackers have been active since 2014 and have been targeting select individuals, all from Italy. The malicious app spreads via webpages that look like those of network providers like Vodafone. From these pages, victims get tricked into installing the malicious APK. Skygofree also includes other advanced features, including a reverse shell that gives malware operators better remote control of infected devices.
"The implant carries multiple exploits for root access and is also capable of taking pictures and videos, seizing call records, SMS, geolocation, calendar events and business-related information stored in the device's memory," the firm adds. Skygofree has apparently been programmed to get added to the list of "protected apps", which means that it is not switched off when the display is off.
Kaspersky says Skygofree has undergone continuous development since the first version was created at the end of 2014 and there are as much as 48 different commands in the latest version. Kaspersky Lab researchers wrote, "As a result of the long-term development process, there are multiple, exceptional capabilities." It also found a number of recently developed modules especially targeting Microsoft Windows, providing the attackers with reverse shell, keyloggers, recording of Skype conversations.
Meanwhile, Kaspersky believes the attackers themselves are Italian. In the blog post, it says, "Given the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like HackingTeam."