Skygofree: Super advanced and never before seen malware targeting Android users


Cyber security researchers are warning about a new and highly advanced form of malware that is capable of reading your WhatsApp messages and record your phone.

The malware, dubbed Skygofree, can “spy extensively” on your phone, recording audio and video, taking photos and stealing text messages and call records without you even knowing, the researchers have warned.

Cyber security firm Kaspersky Labs said it was “one of the most advanced” forms of malware it has ever seen and “includes a number of advanced features not seen in the wild before”, which can give hackers total remote control of an infected device.

One of the most notable features of the malware is its ability to steal WhatsApp messages. It does this not by exposing any vulnerabilities within the messaging app but by compromising the Accessibility Service feature in Android.

“Upon receiving a specific command, the implant can download a special payload to grab sensitive information from external applications,” Kaspersky Lab revealed.

“The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for [WhatsApp] to be launched and then parses all nodes to find text messages.”

Although it requires the victim to give it permission to access the WhatsApp message, it does this by carrying out a phishing attack, which tricks the user into giving it access.

Skygofree can also “eavesdrop on surrounding conversations and noise when an infected device enters a specified location – a feature that has not previously been seen in the wild” Kaspersky Labs warned.

The malware is able to take over the microphone of an infected phone and force it to record everything within range of the device.

Kaspersky also said it can take photos and videos and seize call records, calendar entries, location data and text messages that are stored on the device.

Researchers said there are a total of 48 different commands the malware can carry out on an infected device.

They added that the malware has been active since 2014 and that its campaign is still ongoing.

Researchers said the malware is spread through pages that mimic mobile network operators.

“Users are further advised to exercise caution when they receive emails from people or organizations they don’t know, or with unexpected requests or attachments – and to always double-check the integrity and origin of websites before clicking on links,” Kaspersky Lab advised.

“If in doubt, call the service provider to verify.”


Comments are closed.