'Skygofree' malware can steal WhatsApp messages and secretly record phone users

Security researchers describe it as 'one of the most advanced mobile implants' they have ever come across

Aatif Sulleyman
Tuesday 16 January 2018 15:39 GMT
(Getty Images/iStockphoto)

Highly advanced spyware that’s capable of stealing WhatsApp messages from victims has been discovered by cyber security researchers.

The malware can “spy extensively” on people, and force their phones to record audio and video and take pictures, and steal text messages and call records, all “without arousing suspicion”, the researchers say.

It has been dubbed “Skygofree”, but it has no connection to Sky or any of its products, and does not affect the Sky Go service.

Kaspersky Lab describes it as “one of the most advanced mobile implants” it has ever come across, and says it “includes a number of advanced features not seen in the wild before”, which can give an attacker full remote control of an infected device.

One of its most noteworthy features is the ability to steal WhatsApp messages, by making use of the Accessibility Services feature on Android. It doesn’t take advantage of any vulnerabilities in the messenger app itself.

“Upon receiving a specific command, the implant can download a special payload to grab sensitive information from external applications,” Kaspersky Lab says, adding that it found a payload that exclusively targets WhatsApp.

“The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for [WhatsApp] to be launched and then parses all nodes to find text messages.”

Though it requires a special permission from a victim to carry out the message theft, it can obtain this through the delivery of a deceptive phishing message.

Skygofree can also “eavesdrop on surrounding conversations and noise when an infected device enters a specified location – a feature that has not previously been seen in the wild”, the researchers say.

The malware can enable an infected phone’s microphone and force it to record everything going on around it.

Kaspersky Lab says it is also capable of taking pictures and videos, seizing call records, text messages, geolocation data, calendar events and business-related information stored in the device’s memory.

The researchers found 48 different commands that can be implemented by attackers, which are listed here.

They say the malware has been active since 2014 and that the campaign is still ongoing. It has successfully infected “several” victims, all of whom are based in Italy, and is targeting Android and Windows users.

Kaspersky Lab says it has “a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions”, adding that the malware was designed for “targeted cyber-surveillance”.

It is spread through web pages mimicking leading mobile network operators, such as Three and Vodafone.

“Users are further advised to exercise caution when they receive emails from people or organizations they don’t know, or with unexpected requests or attachments – and to always double-check the integrity and origin of websites before clicking on links,” says Kaspersky Lab.

“If in doubt, call the service provider to verify.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in