Researchers Uncover Android Malware With Never-Before-Seen Spying Capabilities

An anonymous reader quotes a report from Ars Technica: According to a report published Tuesday by antivirus provider Kaspersky Lab, "Skygofree" is most likely an offensive security product sold by an Italy-based IT company that markets various surveillance wares. With 48 different commands in its latest version, the malware has undergone continuous development since its creation in late 2014. It relies on five separate exploits to gain privileged root access that allows it to bypass key Android security measures. Skygofree is capable of taking pictures, capturing video, and seizing call records, text messages, gelocation data, calendar events, and business-related information stored in device memory. Skygofree also includes the ability to automatically record conversations and noise when an infected device enters a location specified by the person operating the malware. Another never-before-seen feature is the ability to steal WhatsApp messages by abusing the Android Accessibility Service that's designed to help users who have disabilities or who may temporarily be unable to fully interact with a device. A third new feature: the ability to connect infected devices to Wi-Fi networks controlled by attackers. Skygofree also includes other advanced features, including a reverse shell that gives malware operators better remote control of infected devices. The malware also comes with a variety of Windows components that provide among other things a reverse shell, a keylogger, and a mechanism for recording Skype conversations.

Sounds as nasty as veriato / spector

[TigerPlish]

I find such things immensely distasteful. >.

Hm. Gives me an idea for an app! appy app apps!

Re:Kaspersky Lab

No that'd be NSA/Googlesoft :)

Three questions...

[Blinkin1200]

1 - How can I tell if I'm infected?
2 - Where can I get it?
3 - How much does it cost?

for testing purposes...

Re:Three questions...

[AHuxley]

As a thought experiment? A fictional movie script?
1. Police, security services or special forces at the door with vans waiting outside.

2.. That needs some research. Go to a library and write out a long list on paper of a nations most sensitive mil/industrial/research/medical sites, contractors/gov services, mil sites, mil ports.
Dont do that research online.

Buy a small number of new cell phones that have a lot of community software and hardware support to see what the cell phone hardware and OS is doing in real time.
Create new accounts. Use a language setting that fits in well with faiths/cults the security services are always interested in.
Use a face for the new account profile that is new to the internet. An non internet art project to get that real new profile looking very real.
Use more art to create a small group of new friends to link too. Same language and faith on a few other new account cell phones.
Keep the collection of new cell phones with their created accounts near each other around a room. Seat spacing around a table is good.

Use any good encrypted search engine with a free map function and start searching online down the list of sites, locations with a cell phone.
Have some way of seeing realtime changes to the cell phone its OS, its CPU use, data flow.

3. Its free, the security services will upgrade the networked cell phone doing the searching.
See what changes on the cell phone and its average data flow in/out using external advanced software and hardware to keep track of the cell phone OS, data use in real time.

See if the OS user brand tools, settings in the cell phone show the same data/network changes.
Test the mic with hardware to see when its turned on by malware. Play back a speech in a language that most interests the security services. See how the mic settings change, mic activates at an OS level in the cell phone.

If I was writing a movie script that is what I would format in a montage. Buying the hardware in an electronics store with cash, and getting the open source OS tracking software needed.
The profile art work.
A pile of books and the handwriting of names, locations to induce the gov/mil malware to be used.
Then the use of the cell phone to search the forbidden brands, locations and the spike in cell phone activity as the gov/mil malware becomes active.

Re:Three questions...

[n329619]

1 - How can I tell if I'm infected?

When you downloaded and installed the app.

If you don't know if you downloaded or installed the app, you can tell it when your android device phoning home to a few ip like 54.67.109.199, or when it has one of these services that you do not initially have (AndroidAlarmManager, AndroidSystemService, AndroidSystemQueues, ClearSystems, ClipService, AndroidFileManager, AndroidPush, RegistrationService) or when your nonrooted device is somehow rooted. Source

2 - Where can I get it?

Go the Kaspersky Lab Research Report from the article, look at the bottom and find those links yourself.

Disclaimer, your warranty is now void. This comment is not responsible for anything that may happen to your phone by installing the app. You do it at your own risk and take the responsibility upon yourself and you are not to blame the poster or anyone else.

3 - How much does it cost?

free as in herpes.

Re:Doesn't make up for hacking our computers

[Opportunist]

"Known"? The Annoying Orange claiming something is now "known"?

Sounds nasty

[DigitAl56K]

... and let me guess, 90%+ of Anrdoid devices today will never receive updates that close all the exploits this thing takes advantage of.

Android: For when you want to receive only semi-regular security updates for only a handful of models from a few manufacturers for a few years tops.

Re:Sounds nasty

[AmiMoJo]

Actually no Android devices are vulnerable to this. You have to enable installing apps from your browser, download it, install it, and then agree to all the permissions it demands. It doesn't use an exploit to install itself, it uses social engineering with web pages made to look like legit ones offer app updates.

The table of URLs is at the bottom of TFA.

Re:Sounds nasty

[Cute+Fuzzy+Bunny]

Hmm, lets see. I bought a Nexus 6 three years ago for $189. It received updates until just recently. I just bought an Essential phone for $280. It'll get updates for at least a couple of years.

How much are those iphones again?

New features going untested

[ArtemaOne]

Google's habit of having everything in beta for nearly, or completely, its lifespan leads to things like this. The new features are the ones majorly being exploited. Accessibility getting around security? That is a major screwup considering that Android phones don't get regular updates. Some lower cost phones will never receive a patch and will be compromised for the entire time it is owned.

Re:New features going untested

[AvitarX]

Accessibility pretty much must get around security.

It needs to be able to read everything on the screen to function.

Re:New features going untested

[nasch]

I don't think the accessibility features are all that new, are they?

But, what about Meltdown?

[GerryGilmore]

According to Conventional Wisdom(TM) Meltdown and Spectre are MUCH worse, leading to patchy BIOS updates, BSODs and varying levels of performance loss. Perhaps a dose of perspective, which this helps bring to the table, is in order - finally.

Tell me why, again?

[Rick+Schumann]

Tell me why, again, I should ever have a smartphone?

But Rick, you can't be one of the cool kids if you don't have one!
But Rick, you're a luddite if you don't have one!
But Rick, you're not interesting enough for anyone to spy on!
But Rick, you're obviously paranoid and wearing a tinfoil hat, you should just calm down and get one anyway!

..and all the other lame-ass crap people post when I say this.

If you want what's left of your privacy, and actual data security preserved, GET RID OF YOUR SMARTPHONE!

Re:Tell me why, again?

[jareth-0205]

If you want what's left of your privacy, and actual data security preserved, GET RID OF YOUR SMARTPHONE!

Better get that Intel-chipped laptop out then...

Re: Tell me why, again?

[c6gunner]

Maybe just don't install random crapware?

When I was working support, I didn't blame laptops when users repeatedly installed bonzy buddy on them. I blamed the idiots who kept doing it over and over, and then kept bringing me the laptop whining about how slow it was.

I suppose you would have just taken away their laptops and told them to go back to using pencils and paper.

Re:Tell me why, again?

[tepples]

Tell me why, again, I should ever have a smartphone?

Because netbooks made for* GNU/Linux are no longer sold in major U.S. electronics showroom chains. What's less bad between a smartphone (or Android tablet) and a Windows 10 tablet or laptop?

* "Made for" means shipping with or otherwise warranted to run.

Re: Tell me why, again?

[Rick+Schumann]

Read the article. Has nothing to do with installing anything. Your Android phone can be infected with this malware without you doing anything and you'll never even know.

Re: Tell me why, again?

[c6gunner]

Read the article. Has nothing to do with installing anything. Your Android phone can be infected with this malware without you doing anything and you'll never even know.

Bullshit. Neither of the linked articles state anything to that effect. As a matter of fact, both of them state that the malware is primarily spread via "web landing pages" which mimick various carriers websites, and the original Kaspersky article gives example. All of their examples are links to APK files.

So, essentially, what needs to happen is:

1. User is somehow directed to a webpage which looks like a cellphone carriers website.
2. Webpage asks the user to download an APK file.
3. User downloads the file and then manually runs it.
4. In most cases android pops up a warning saying that unknown sources are disabled by default, and refuses to install the APK.
5. User manually tells android that external sources are OK.
6. User runs the APK a second time and installs it.

There are multiple steps in that process where an even remotely competent user should realise that something is wrong. I'm not sure how much more hand-holding you want your phone to do for you.

Alternately, this malware could be bundled with a legitimate piece of software and somehow snuck on to the google play store, in which case android would not give you any warning about untrusted sources ... but you're still knowingly installing some piece of crap which you almost certainly don't need.

Re:Tell me why, again?

[SlaveToTheGrind]

If you want what's left of your privacy, and actual data security preserved, GET RID OF YOUR SMARTPHONE!

Whew -- good thing I just replaced it with a mobile multifunction, n'est ce pas?

Re:Tell me why, again?

[HiThere]

Actually, the further you go into the past, the more privacy you had. This was largely due to economics, of course. But in 1960 only draft age males had to carry an ID card, and nobody carried a phone. You could open a bank account with no proof of identity, etc.

Before WWII nobody had to carry an ID card. Before 1910 almost nobody carried *any* government issued ID. Etc.
(I may have gotten a couple of the dates a bit wrong, but it's about right. I'm not certain, e.g., that soldiers didn't carry official IDs during the Civil War: 1865.)

It was about the time of the Civil War that Hollerith invented his card (now the IBM card) to store data for the census. Go back before than and all government record keeping was via hand written entries. Family Bibles were considered as authoritative and official records...though that might be slightly earlier.

And, as I said, the reasons were all basically economic. But you need to figure in utility as well. The manpower required to retrieve records as quickly as a modern system would have been impossibly exorbitant. And it would also require an additional army of clerks to record the data in multiple copies and to verify that it had been recorded properly, etc. Totally impossible, but it can be condensed into an economic impossibility. It would have required more than the entire population of the country to manage the record keeping for the country. The problem probably scales O(2^n) when you have people doing the record keeping rather than machines. (I.e., it works fine for a small village.)

Re:Tell me why, again?

[antdude]

Just get rid of everything like Internet, computers, etc. Go off the grid! :P

Re:Tell me why, again?

[n329619]

Tell me why, again, I should ever have a dumbphone?

..and to all the other tech nerds post when I say this.

If you want what's left of your privacy, and actual data security preserved, Get rid of your dumbphone and GET A PIGEON!

Pigeon not only looks cool but can also delivery your message securely and safely without all those phone / network connectivity nonsense. In addition, each pigeon comes with its own bird-droppings delivery feature which is prefect for targeting those on your most hated list, like your neighbor! So why keep your dumbphone that you'll need recharging every other week? Get A PIGEON TODAY!

Disclaimer: Pigeon message delivery training and pigeon food are not included. Pigeon may automatically activate bird-droppings delivery feature without prior notice. Pigeon not fed might poke your brain out, users are advised to feed pigeon daily for safety measure.

Re:Tell me why, again?

[nasch]

What's less bad between a smartphone (or Android tablet) and a Windows 10 tablet or laptop?

I think his suggestion is to not use a smartphone or tablet. Seems like throwing out the baby to me, but to each his own.

Re:Tell me why, again?

[jouassou]

In case you do need one at some point: CopperheadOS. Unfortunately, it only supports Nexus phones at the moment, but they provide a Google-free security-hardened android distribution with regular updates and no proprietary components. I'm not saying it's bullet-proof, but getting rid of the telemetry Google has built into Google Play Services and providing regular security updates is orders of magnitude better than the competition.

Re:Tell me why, again?

[Cute+Fuzzy+Bunny]

Quite some time ago, I applied for a lower cost, higher end insurance package that my agent said would be good for me, but would require a huge background check. I've held a top secret and nuclear Q clearance, and this investigation felt about the same.

Bearing in mind that this is pre-internet, at one point they asked me about any relationship I might have had with the ex husband of an ex girlfriend I hadn't even seen in years. Turns out he'd been involved in some insurance fraud. About all I could think that we'd ever shared that could connect us was a Blockbuster video card. Yet somehow they'd established those linked relationships.

Today your credit report, what you buy on your credit cards, what you buy with a store rewards card are all collected and collated. Your picture or video of you is taken dozens of times per day.

I don't think getting rid of a smartphone would do much for you, and any ideas of privacy or keeping your information a secret went out the window a LONG time ago.

Re: Tell me why, again?

[Rick+Schumann]

>implying most people are 'remotely competent'.
They're not. I am orders of magnitude more 'competent' than the average smartphone user. Therefore I refuse to own one. I'm on the verge of dumping wireless entirely in fact, really don't use it enough to justify it.

Re:Tell me why, again?

[Rick+Schumann]

If you care about your privacy and security then maybe you should think twice about using "always on" wireless devices like these.

Re:Tell me why, again?

[Rick+Schumann]

Oh okay guess there's nothing I can do about anything so why even try, I'll just get every always-on device on the planet like most of you seem to do, put cameras everywhere too (for my SAFETY of course!), get a Facebook and Twitter account again, share EVERY SINGLE ASPECT of my daily life with the whole world, and be like a frog on a dissection tray, splayed open for every government agency and corporation that wants to know any little fucking thing about me, including what kind of porn I like, how and when I masturbate, and what my last bowel movement was like. FOR MY PROTECTION, OF COURSE; since all the above only EVER have my best interests at heart!

Or I can continue to not be an abject yellow-bellied coward that knuckles under to violations of my human rights like most people and FIGHT BACK any way I can.

Re:Tell me why, again?

[tepples]

Yep, I also used to think that having a smartphone was pointless.

Then I got one, installed a console, text editor and compiler and now I can code while on the crapper.

What's the advantage of buying a smartphone and using that on the crapper over buying a laptop made for GNU/Linux and using that on the crapper?

Re: Tell me why, again?

[c6gunner]

I'm on the verge of dumping wireless entirely in fact

Good plan, Rick. Just stick to that paper and pencil.

Read the name as "SkyGoatse".

And the holes it opens are bigger.

Re:Doesn't make up for hacking our computers

[SonarNerd]

Your local government(s) exactly want you to think that way, so that you don't use those tools that would detect their malware. They can silence local tool vendors using National Security Letters. But not these kind of foreign ones.

If you read the story, mostly Italians are infected, with a malware made by Italian company and likely used by Italian intelligence agencies...

This reads more like an advertisement.

[Fly+Swatter]

And less like a warning for a product that you can apparently find by looking towards an Italian Security company.

-Remember that internet thing? It didn't end well.

I like old stuff

[AndyKron]

I'm never giving up the dial phone hanging on my wall.

Re:I like old stuff

[HumanWiki]

Make sure you ignore that resistor I placed across your tip/ring.
Or that man down the way a little bit using a buttset. I'm sure he's not making LD calls.

Re:I like old stuff

[freeze128]

Never gonna give, never gonna give, (Give you up!)

Re:Doesn't make up for hacking our computers

[mark-t]

For values of "known" == "alleged" or even "highly suspected", perhaps.

not so safe.

[tuppe666]

I will stick to a safe and professionally coded software like iOS, which is real Unix.

Many people are grateful of those many naked celebrity photos from Apple. After apple crippling users phones I am astonished anyone would buy from them. They continue to be ethically bankrupt.

Re:not so safe.

[mark-t]

While I was less than thrilled about Apple's lack of transparency over slowing down the older phones, I thought that all things considered, their efforts were still lengthening the useful life of the devices impacted. Working slower is better than not working, period.

Re:not so safe.

are you moron? leaked photos afaik were retrieved with stolen or easily-guessed password via iCloud not directly from iOS. or from phone repairing shop. educate yourself before commenting such

Re: not so safe.

[mark-t]

"die unexpectedly"??? Citation, please. Undesired app slowdown sure... but where did you read that it caused the devices to become bricks?

Re: not so safe.

[tepples]

So you'd rather get a slower device that will completely die unexpectedly (done people would assign blame to other factors like app boat) instead of one that dies under heavy load but can be restarted (as the battery isn't that far gone yet, since it's effects aren't being hidden)

Yes. The former (automatic power save once battery weakens) allows me to dial emergency services or hail a ride until such time as I can schedule a battery replacement. The latter does not.

Re: not so safe.

[nasch]

"Die" meaning "turn off" not "become a brick".

Re: not so safe.

[mark-t]

No, I meant where did you read that their slowdown would cause the device to turn off unexpectedly?

Re: not so safe.

[nasch]

It's been all over coverage of the issue. That is the explanation Apple gave for why they did this. Without the patch, if the system requested more voltage than the battery could deliver, it would just shut off. By throttling the processor, the peak voltage demand is decreased and the device can keep running.

Re: not so safe.

[mark-t]

That was what I saying from the beginning:

While I was less than thrilled about Apple's lack of transparency over slowing down the older phones, I thought that all things considered, their efforts were still lengthening the useful life of the devices impacted. Working slower is better than not working, period.

Slowing down the device enabled it to keep working... yet, the AC to whom I responded above stated:

So you'd rather get a slower device that will completely die unexpectedly (done people would assign blame to other factors like app boat) instead of one that dies under heavy load but can be restarted...

Which is what prompted my query for a citation, because as far as I was aware, Apple's patch did exactly the opposite. I was even clear on the point that I was asking about info on the claim about dying unexpectedly, so I'm not sure where you got the idea that I was ever saying that the patch caused it to die.

Re: not so safe.

[nasch]

Oh I see... I'm not sure what he meant by that. Sounds like he misunderstood something. Sorry to add to the confusion.

It is an implant software

[140Mandak262Jamuna]

Skygofree is a reminder that so-called implant software sold to governments and police forces, sometimes in countries with poor human rights records, remains a threat to people using a wide variety of devices and operating systems.

It looks like it is a product sold to security agencies and police forces around the world. They might force the installation of this software by the sellers in their countries, or install it once they arrest the dissident. It is a spyware alright, but it might not be a garden variety virus that infects you unbeknownst to you.

I guess now that Kaspersky is deemed "evil" ...

... they have no reason to adhere to NDAs by the various terror... err, I mean spying... err, I mean not stupidity but "intelligence" organizations, and can finally leak all the nasty shit.

I hope.

Re:Doesn't make up for hacking our computers

[Opportunist]

Where does she enter the equation?

Is it possible in your little black-and-white world that thinking the Annoying Orange is simply and plainly a loonie doesn't automatically mean that I consider the bitch any better? You had an election last year, but no choice.

Back on topic: You wanted to show me some kind of proof that Kaspersky is spying for the Russians.

Re:Kaspersky Lab

[hashish]

Maybe it is a case of 'have to be a thief to catch a thief'.

Kaspersky

Tell me again why I shouldn't get the antivirus that catches the real bad guys?

Re:Kaspersky

If you ignore the silliness about the alleged Kremlin entanglement and just evaluate the product on its merits, Kaspersky is pretty good. I didn't notice much impact on system resources save memory, but I've got plenty so it wasn't a problem. Browsing was slightly slowed be, not too bad. Actually my biggest beef with the product is that it's very, very chatty with Kaspersky servers. Even when you go through the configuration (which is extensive on advanced mode) and try to turn off all the options and features that could conceivably require network access, it still manages to phone home regularly to Kaspersky's global network of servers. About the only time I like a product like that to access the network is to autoget new signatures and notifications that there is a new update for the software and that's it. Unfortunately, I couldn't get Kaspersky to shutup, so I had to remove it. YMMV.

Re:Kaspersky

[AHuxley]

Help find the next Skygofree, Stuxnet, Equation Group.
https://en.wikipedia.org/wiki/...
Wonder what many other nations top AV brands do all day?

Re: CopperheadOS

[c6gunner]

CopperheadOS, as great as it is, is only available for a few devices. And given that it supports all the typical accessibility features I suspect it would still be vulnerable to this.

Misconception

[fluffernutter]

I came to this article thinking they were talking about Google Home!

Re:Doesn't make up for hacking our computers

[Opportunist]

Whatever. Am I going to hear where Kaspersky is spying for Russia?

Re:Doesn't make up for hacking our computers

[HiThere]

OK. I think there's a fair chance that Kaspersky is spying for Russia, at least occasionally. Now ask me about AT&T, or someone else, because it's not like that makes them different from any other company. Russia spying on me is a less direct threat than some US agency doing so.

It's quite appropriate to say than on US classified work should be done on any device running Kaspersky software. But I doubt than any British or Japanese company should trust software from the US.

Re:Doesn't make up for hacking our computers

[gl4ss]

two sides.

it's true anyways.

however, I suspect google paid them off to emphasize accessibility service use, so google can remove it and cite that as reason.

because you know, if you have root, they can get the views without the accessibility server as well(this is necessary so they get the text fields contents without having to screencap the entire thing, which would work just as fine for spying as well).

and yes I have written an accessibility service for android - it was necessary so that I could know what app is in foreground, it's necessary because google removed other options for knowing that. it's a kiosk mode application/manager so it's not really any security issue to the user as such..

Re:Doesn't make up for hacking our computers

[Opportunist]

So "there is a fair chance" is now translated to "it is known fact"?

What we have is allegations from the annoying orange. That's it. Their response was to have their source code audited for any possibility of collaboration with any state actor, which is more than I could say for Microsoft, Symantec or McAfee.

Offensive

[nasch]

"Offensive security product"? Is that like "spending cuts in the tax code"?

Does it require human intervention to install?

[Rexdude]

That's the only relevant question here. Until drive-by downloads are a thing on Android, the only victims will be the common sense impaired.
- Stick to Play Store if you don't know what you're doing, and check the developer name, reviews and number of downloads of whatever app you plan to download for any red flags. Better still, stick to well known, popular apps.
- Keep the 'install apps from unknown sources' setting at its default state of unchecked if you're not smart enough to differentiate between malicious and benign 3rd party APKs.
- You don't need any sort of antivirus app on Android. This isn't Windows XP circa early 2000s where using IE6 would get you infected with silently installing malware.