Skygofree: New Government Malware for Android
Kaspersky Labs is reporting on a new piece of sophisticated malware:
We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy.
Moreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild.
It seems to be Italian. Ars Technica speculates that it is related to Hacking Team:
That’s not to say the malware is perfect. The various versions examined by Kaspersky Lab contained several artifacts that provide valuable clues about the people who may have developed and maintained the code. Traces include the domain name h3g.co, which was registered by Italian IT firm Negg International. Negg officials didn’t respond to an email requesting comment for this post. The malware may be filling a void left after the epic hack in 2015 of Hacking Team, another Italy-based developer of spyware.
BoingBoing post.
echo • January 22, 2018 12:30 PM
I keep a very small footprint with my mobile phones which helps mitigate threats but does not remove theoretical threats through subverting third parties.
This report was an educational run through the techniques they used which I have read or seen examples of in the past although in different forms and not all in one place. On Windows I noticed anti-virus software flag files generated with the Py2exe tool but no warnings are given on the actual payload itself. Is it possible that some form of checking is possible on the payload instead of generating suspicions that a warning may just be a false alarm?