A new malware program called the Skygofree Trojan was discovered targeting Android smartphones and tablets with extensive spyware capabilities in order to gain access to user information and gather data from apps. How does this Trojan work and what makes it unique compared to other types of spyware?
Antimalware vendors have a category — greyware — for potentially unwanted programs, such as adware or spyware, that some might argue are not clearly malware because they have legitimate uses, especially when wielded by security professionals.
While commercial security tools are available for Android that have functionality comparable to that of common malware, it can be difficult to distinguish between commercial security tools and malware strictly on the basis of functionality. This is because common malware incorporates functionality and uses exploits similar to those used by many commercial tools. However, malware will typically be nosier and draw more attention to itself, leading to its discovery and it being blocked by security tools.
On the other hand, commercial security tools with malware-like functions might not be uniformly blocked and may not even be detected by other commercial security tools — more discreet malware can fly under the radar. Regardless of the program’s functionality and whether or not it is malware, when a program is discovered to have been unintentionally installed on a device, it’s a matter of concern.
Kaspersky Labs found the Skygofree Trojan, which could, arguably, be considered greyware because it provides some functions that are similar to those used by security teams. However, this would be a difficult argument to win: the Skygofree malware is distributed via fake mobile operator websites and is disguised as an update to improve mobile internet speed — this should be the first red flag that it’s malware.
The Skygofree Trojan can be configured by the attacker to hide itself when it is installed and to set itself up on the device to always be running — another red flag. And since it abuses Android Accessibility Services to interact with apps on the device without the user’s approval, the malicious nature of the program is difficult to deny.
One of the functions Kaspersky reported it found in Skygofree is its ability to use mobile device management tools to turn on audio recording when the device goes into a geofenced area. It’s unknown why the Skygofree Trojan does this, but mobile device management tools use this function to control or disable a camera when a device goes into sensitive locations that prohibit cameras.
The Skygofree Trojan can also connect to a Wi-Fi network the attacker has defined — even if the device’s Wi-Fi functionality has been turned off. This is another function that commercial security tools might use to check into a management server to upload logs and update the configuration.
Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)