One Of The 'Most Powerful' Android Spyware Tools Ever Was Just Uncovered

[LASER_oneXM]

Italy is home to a remarkably bustling smartphone spyware industry. Hacking Team infamously hacked itself in 2015, somehow remains one of the bigger players. But there are others: IPS, Area IT and RCS to name a few. On Tuesday, researchers from Russian firm Kaspersky Lab detailed a fresh Android spyware outbreak they believe came from an Italian vendor. And, with its novel techniques to silently infiltrate Android phones and siphon off WhatsApp messages, they think it's one of the most advanced forms of malware targeting Google's operating system ever seen.

Whilst Kaspersky shied away from naming the Italian company, it found multiple references to Rome-based Negg in the spyware's code. Forbes attempted to contact one of Negg's founders, Francesco Taccone, but had received no response at the time of publication.

An Italian job

That chimed with the Kaspersky research, which found only a few infections, all within Italy. The Russian antivirus provider concluded the software, which it dubbed Skygofree, was one of the most powerful seen aimed at Android operating systems. "As a result of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, [and] never-before-seen surveillance features," the company's researchers wrote in a blog post Tuesday.

They said it was likely development started on the tool back in 2014. As of October 2017, when Kaspersky first found the surveillance tech, it could record audio via the microphone when an infected device was in a specified location and could force a target device to connect to Wi-Fi networks controlled by the attacker.

Skygofree also used a novel method for surveilling WhatsApp messages, via Accessibility Services, provided by Google to assist those with disabilities. "The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for the targeted application to be launched and then parses all nodes to find text messages," Kaspersky wrote. Essentially, Accessibility Services provide a nice route into other applications as they have permission to do so, via an application programming interface (API).

The surveillance tool was being delivered via a handful of websites, including fake network update pages from different telecoms giants, including Three and Vodafone, all registered in 2015. Kaspersky also found a Windows implant, designed in 2017, but it was not able to find infected PCs.

The average user need not be afraid of Skygofree; it appears to be in limited use and delivered by a company in the "lawful intercept" market. As long as they have adequate permission from the courts, law enforcement officers across the world can use such surveillance tools (though in many cases, it's come with large dollops of controversy, as seen in past uses of snooping tech from Hacking Team and Israeli provider NSO Group).

Whilst the Skygofree spyware was limited to Italy, Kaspersky researcher Vicente Diaz thinks it's likely governments across the world will increasingly invest in such tools to spy on smartphones. "Even if this is not widespread and it's much more targeted, the future for this kind of government-sponsored espionage will be on mobile devices for sure," Diaz told Forbes. "I think we’re close to that tipping point."