Android malware, spying
The spyware was codenamedSkygofree” by experts from Russian anti-virus giant Kaspersky Lab Pixabay/Creative Commons


  • Strain of Android spyware was uncovered by Kaspersky Lab.
  • It can covertly snoop on WhatsApp chats, calls and a device's geo-location.
  • Cyber-tool seemingly designed by an Italian company similar to HackingTeam.

A new strain of Android malware which has been dubbed "one of the most powerful spyware tools" ever spotted has been exposed by cybersecurity researchers.

Codenamed "Skygofree" by experts from Russian anti-virus giant Kaspersky Lab, it has been used since 2014 to infect smartphones, steal WhatsApp chats, record conversations and spy on victims' texts, phonecalls, surrounding audio, calendar events and device geo-location.

The malware is typically spread using compromised websites which mimic well-known mobile operators – including UK-operating firms Three and Vodafone.

While the covert malware's internal code has changed over the years, researchers say it can be used to give hackers "full remote control of the infected device".

Discovered in October 2017, the advanced spying cyber-tool has been linked to an Italian IT company which offers customers lawful intercept and surveillance software.

Kaspersky Lab likened the firm to Hacking Team, which was the centre of a massive data breach in 2015 and was later accused of selling invasive spyware to repressive governments.

"The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform," said analysts Nikita Buchka and Alexey Firsh in a blog post on Tuesday (16 January).

"As a result of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations."

The latest version of the implant contained 48 commands for various forms of spying. One, known as "geofence" would only record audio when the target was in a specific location. Another, entitled "WiFi", could be used to intercept data flowing through a wireless network.

Skygofree could also be used to take images using devices' cameras. According to Kaspersky, the investigation also uncovered an implant which could hack Windows computers.

While it is an advanced strain of malware, such a tool is only likely to be used in a highly targeted fashion. Kaspersky said there were several infected individuals, located in Italy.

Stealthy, commercial tactics

"High-end mobile malware is very difficult to identify and block and the developers behind Skygofree have clearly used this to their advantage, creating and evolving an implant that can spy extensively on targets without arousing suspicion," Firsh said.

"Given the artefacts we discovered in the malware code and our analysis of the infrastructure, we have a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions, rather like HackingTeam," he added.

Sources told Forbes that the firm in question works with law enforcement and is called Negg.

Chats, calls and texts could all be intercepted using the malware iStock