Skygofree: A new form of Android spyware

Skygofree is a class of spyware that not only spies on you via your Android device but also makes sure that your Windows PCs are infected upon connecting your phone as well.

The spyware has been actively under development since 2015, and security researchers have seen many variants of it. Now, the spyware can do some nasty things in the background once it is installed. It can gain root access by using several known root exploits such as TowelRoot. It targets apps on your phone such as WhatsApp, Facebook, and Facebook Messenger and attempts to steal your personal data. It also acts as a surveillance tool by spying on you when you are around a certain location.

When it comes to WhatsApp, the app uses the accessibility service to read all the text messages on the screen. We had heard about Google cracking the whip on apps that use accessibility services, and perhaps this is a reason why. The spyware also uses BusyBox to access data in multiple apps. It also escalates privileges inside the app and then proceeds to steal data from the app, sending the data to a given URL.

Skygofree targeting WhatsApp

Not only that, the spyware has a built-in Windows module, that packs in a keylogger and file uploader. The spyware also has anti-detection features, which obfuscates the malware code by hiding in critical system apps such as msconf.exe, system.exe, and wow.exe.

The malware is spread by sites that look similar to what your network provider offers. My advice to you is to make sure that the APKs you download are signed and verified before installation. Always use a source like APK Mirror when downloading sideloading apps.

Source: SecureList