Skygofree: New spyware can access your WhatsApp messages; Huawei devices infected as well

The spyware exploits Android’s Accessibility Services to access WhatsApp messages.

| Updated on: Jan 17 2018, 13:36 IST
Here’s everything you need to know about Skygofree spyware.
Here’s everything you need to know about Skygofree spyware. (REUTERS)
Here’s everything you need to know about Skygofree spyware.
Here’s everything you need to know about Skygofree spyware. (REUTERS)

A highly sophisticated spyware has been on the loose for more than two years and is even capable of accessing users' WhatsApp messages, security researchers said on Tuesday.

According to a latest report by security firm Kaspersky Lab, the spyware known as "Skygofree" is "one of the most advanced mobile implants" yet. The researchers also claim that it "includes a number of advanced features not seen in the wild before."

The researchers disclosed that they had discovered the Android spyware in October last year.

"We believe the initial versions of this malware were created at least three years ago - at the end of 2014. Since then, the implant's functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals," researchers said in a blog post.

"We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015," they added.

"According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy."

"The core ideology behind most mobile malware is using extra permissions which eventually are used to take control of the victim's device and steal all the data. Always check what kinds of permission is required by the app before downloading it," says Ankush Johar, Director at security firm Infosec Ventures.

The researchers pointed out that they had come across various spyware tools for Windows that create implant for exfiltrating sensitive data on a targeted device. This version of the spyware was found in early 2017.

Huawei devices

According to researchers, some versions of this spyware come with "self-protection ability" exclusively for Huawei devices.

"There is a 'protected apps' list in this brand's smartphones, related to a battery-saving concept. Apps not selected as protected apps stop working once the screen is off and await re-activation, so the implant is able to determine that it is running on a Huawei device and add itself to this list. Due to this feature, it is clear that the developers paid special attention to the work of the implant on Huawei devices," researchers wrote.


Researchers further wrote that one version exploited Android's Accessibility Service to exclusively target WhatsApp Messenger. Using this exploit, the payload can access information directly from the displayed elements on the screen.

"So, it waits for the targeted application to be launched and then parses all nodes to find text message," it said.

Follow HT Tech for the latest tech news and reviews , also keep up with us on Whatsapp channel,Twitter, Facebook, Google News, and Instagram. For our latest videos, subscribe to our YouTube channel.

First Published Date: 17 Jan, 13:35 IST