As a result of the long-term development process, there are multiple, exceptional capabilities: "usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations", Buchka and Firsh wrote in their analysis.
The spyware, called Skygofree, was discovered by researchers at Kaspersky Lab, who warned that it has been active since 2014, and it can take pictures from the selfie camera, or even read WhatsApp messages. As per a new report by the researchers at Kapersky Lab, Skygofree is likely to be the creation of an Italian IT company. It can also steal WhatsApp messages via Android's Accessibility Services, and it can force a device to join a compromised Wi-Fi network.
Kaspersky Lab notes that the creators of the malware may be an Italian IT company.
The malware is designed for targeted cyber-surveillance and includes hacking abilities which have never been seen before outside of controlled research settings.
Skygofree is capable of recording audio via the microphone on a target device when it enters a certain geolocation, and can pilfer WhatsApp messages using Accessibility Services as a point of entry.
Researchers at Kaspersky Lab have uncovered a form of Android malware they're saying is one of the most powerful ever seen in the wild. It appeared to be at its most active in 2015, though the most recent domain linked to the malware was registered in October 2017.
All of these are naturally fraught with risks for the device owner, but the ability to control the device's Wi-Fi is especially concerning, because it allows the criminals to connect it to a network they control and intercept all of your internet traffic including passwords and credit card numbers. It is programmed to list itself as one of the devices' "protected apps", so that it can continue running even when the screen automatically turns off.
While most of the domains are outdated, the firm says nearly all remain accessible, and mimic both domain name and page content. Kaspersky says the malware was cobbled together using multiple open-source projects, some hosted on GitHub, such as PRISM (reverse shell), android-rooting-tools (Android rooting tools), El3ct71k Keylogger (keylogger), and the Xenotix Python Keylogger (Windows keylogger).
Users are also advised to exercise caution when they receive emails from people or organisations they do not know, or with unexpected requests or attachments, and should always double-check the integrity and origin of websites before clicking on links.