back to article Android snoopware Skygofree can pilfer WhatsApp messages

Mobile malware strain Skygofree may be the most advanced Android-infecting nasties ever, antivirus-flinger Kaspersky Lab has warned. Active since 2014, Skygofree, named after one of the domains used in the campaign, is spread through web pages mimicking leading mobile network operators and geared towards cyber-surveillance. …

  1. Quentin North
    Trollface

    They would want you to think that wouldn't they...

    Isn't Kaspersky now officially a engine of the Russian state? I bet they would like you to think that these capabilities are developed in Italy.

    1. vir

      Re: They would want you to think that wouldn't they...

      This does seem to have the hallmarks of a state-developed or at least -sponsored program. I'm not in the habit of sharing credit card numbers or my address over WhatsApp or speaking it aloud to myself.

    2. Anonymous Coward
      Anonymous Coward

      Re: They would want you to think that wouldn't they...

      Your daddy MS Rogers is calling you home (NSA Director)

  2. Forget It
    Holmes

    Can we know the location coordinates of interest please?

    1. Rich 11

      The Vatican confessional.

    2. Brewster's Angle Grinder Silver badge
      Joke

      Your mother's bedroom.

    3. Anonymous Coward
      Anonymous Coward

      51°30′37.938N 0°35′42.146W

    4. David 164

      bet they can be made specific to the infected phone.

  3. Dr Mantis Toboggan
    FAIL

    Shame Kaspersky

    Didn't clarify more important stuff rather than lawyer nonsense.

    Like perhaps how this is distributed

    how many defences you have to disable to get it

    How many permissions you have to grant it.

    Kaspersky really are clickbait scumbags. Why anyone would trust their network security with them when they can't even be trusted to providing accurate malware information with resorting to sexing everything up?

    1. Anonymous Coward
      Anonymous Coward

      Re: Shame Kaspersky

      It's a shame you didn't click on the blog link in Reg article which Kaspersky Lab answered almost all your questions.

      Like perhaps how this is distributed

      It is currently known to be from a list of websites, so it is distributed by website through installing the app itself.

      how many defences you have to disable to get it

      Since it is inflected by installing the app itself, at most one defense you have to disable to install it, which would be 'allow 3rd party app install'. At minimum zero defense you have to disable to get it if it's on the play store and you installed it.

      How many permissions you have to grant it.

      None since it won't ask you for them if it roots your phone. If it does ask you, it'll ask at least microphone, camera, location and maybe contacts (from one image, the log shows it stealing facebook data and contacts but doesn't state if that will trigger the contact permission).

      1. Anonymous Coward
        Anonymous Coward

        Re: Shame Kaspersky

        Awwww, how naive,. Its never one defence, all android devices will warn you if you try to turn off secure sources, it even specifically mentions putting you at risk of malware. All devices have play protect (which despite the name protects you against malware bottom anywhere, including non Google play sources.

        You also babble on about the magically rooting your phone to bypass permissions. Do t you find it weird that it's now pretty hard to manually root a device, and most people need to actually bootloader unlock, yet somehow this has some magic that can do it and that works on all devices. If you drill into the detail, itcwill be the same old Kaspersky nonsense where it's a 5 year old device that has a known root exploit and totally unrepresentative of a typical device.. but that wouldn't fit the clickbait agenda.

        I would bet money it wasn't a pixel. The Pixel phone is protected by many layers of security. It was the only device that was not pwned in the 2017 Mobile Pwn2Own competition.

  4. Anonymous Coward
    Linux

    Skygofree spreads through web pages

    "Skygofree .. is spread through web pages mimicking leading mobile network operators and geared towards cyber-surveillance."

    Does this mean that Skygofree can install itself merely by the end user visiting a malicous wesite?

    1. Anonymous Coward
      Anonymous Coward

      Re: Skygofree spreads through web pages

      If so, it is only one hack against a major site or major ad network away from infecting millions of devices.

    2. Anonymous Coward
      Anonymous Coward

      Re: Skygofree spreads through web pages

      Currently from the Kaspersky Lab report, it is only downloadable.

      So I doubt it can self install itself (for now).

    3. Dr Mantis Toboggan
      FAIL

      Re: Skygofree spreads through web pages

      Of course not. Here is what you actually need to do;

      *Enable untrusted sources in phone settings

      *Ignore warning about the malware risks involved with untrusted sources

      *Turn off play protect scanning

      *Visit obscure website hosting this.

      *Be using a mobile device

      *Open the APK it downloads

      * Ignore the permissions it lists on the install screen, including record microphone permissions

      * install app

      *Grant special accessibility permission

      Its also worth mentioning, unlike Windows, android is fully sandboxed, so even if you did all these things, you simply have to uninstall the app to get rid of it fully, it won't leave stuff on your device.

      Funny that Kaspersky and checkpoint always "forget" to mention these huge mitigation factors...

      1. RyokuMas
        Facepalm

        Re: Skygofree spreads through web pages

        "*Be using a mobile device"

        ... well, duh....

  5. ThatOne Silver badge
    Big Brother

    Most likely is it something you can download and use to spy upon somebody else (spouse, children, competitor). So infection is manual, done by a perpetrator.

    Something which records WhatsApp messages and audio on demand is clearly a spying tool, not classic malware.

  6. Anonymous Coward
    Anonymous Coward

    WhatsApp

    There are dubious "Antivirus/Anti hacking" apps on the Play store as well as factory installed by phone manufacturers and/or carriers that can access the users WhatsApp data as well as Facebook/Twitter etc.

    One of theses apps has a "WhatsApp Cleaner" and "Facebook Messenger Cleaner".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like