Skygofree Spyware
INTRODUCTION
Active since 2014, skygofree (named on the basis of domains used in the application) is being called the most advanced android malware with powerful spying capabilities such as—
- Location-based sound recording through the microphone of an infected device – recording starts when the device enters a specified location
- Abuse of Accessibility Services to steal WhatsApp messages
- Ability to connect an infected device to Wi-Fi networks controlled by the attackers
Below is the analysis of one of the samples obtained which clearly shows how much harmful this spyware is.
ANALYSIS
Below image shows the permissions this app has, clearly shows that this app once installed asks for a lot of permissions from the user and further it carries on its exfiltration activity like call records, text messages, geolocation, surrounding audio, calendar events, and other memory information stored on the device etc..
Also, services used by this app were:
Service Name Purpose
AndroidAlarmManager Uploading last recorded .amr audio
AndroidSystemService Audio recording
AndroidSystemQueues Location tracking with movement detection
ClipService Clipboard stealing
AndroidFileManager Uploading all exfiltrated data
Now once the app is installed attackers can command(which we will look shortly) and control remotely by using some protocols like via HTTP,XMPP,FirebaseCloudMessaging service(which is in this case) as can be seen below:
Afterthat as we dig more into the code, we can see below that after giving certain permissions by the user this malicious app collects all sort of user data from local database like of whatsapp,facebook,gmail etc. using Social command as this command starts the ‘AndroidMDMSupport’ service – this service allows the files of any other installed application to be grabbed.
Along with this it also uses camera command to record a video or capture the image and uploads it.
Some other commands which it uses are:
Install_apk to install apks from the URL
Sms to steal text messages
Whatsapp_msg to steal whatsapp message database from memory card
History steal browser history and upload it as shown below.
wifi command is used to connect the victim to a Wi-Fi network controlled by the adversaries to perform sniffing and man-in-the-middle (MitM) attacks.
Along with these as shown above, it also looks for the databases of other apps as hardcoded below:
Some other malicious activities
Below images are some of the the services this app uses for its malicious activities:
As can be seen it reads the phone states to get serialnumber,uid etc. of the device.
It also uses NotificationListener Service as can be seen in the below image.
From below image it can be seen that app uses AndroidCallSystem Service to get call logs and numbers from the user’s device and then it uploads it to the attacker’s server.
Also, by using AndroidFileManager service it uploads all the user’s documents as well.
Image shown above shows the URL to which this malicious app connects to perform its malicious activities:
Not only this, advanced versions of this app has more capabilities like dropping payloads, exploit payloads further using CVEs and getting the reverse shell.
CONCLUSION
As we saw above that the skygofree tool has a lot of capabilities as being seen in the wild.With some exceptional capabilities like usage of multiple exploits to gain root privilege,never-before-seen surveillance features such as recording surrounding audio in specified locations,stealing private databases of other installed apps, this app proves to be a very dangerous application.
About Siddharth:
- Student currently pursuing bachelors of technology (Computer Science)
- Interested in malware analysis,reversing and forensics.
- Did internship at Computer Emergency Response Team,India (CERT-In)
The article was originally published here: https://threatblogs.wordpress.com/2019/11/06/skygofree-spyware/
The post Skygofree Spyware | By Siddharth Sharma appeared first on eForensics.