New Android Malware records audio, video & steals WhatsApp messages

A malware that can extensively spy upon unsuspecting users and force mobile phones to record audio and video as well as capture photographs and obtain geolocation data, calendar events and financial or business related data stored in the device memory has been identified by security researchers at Kaspersky Labs.

Yes, you read that right. The malware is being termed as an extremely advanced program that can steal WhatsApp text conversations and call records without even leaving a trace or making the user suspicious. The malware although has been dubbed as Skygofree it is not at all connected to Sky or any of its offered products and it doesn’t affect Sky Go service either.

In its report published on Tuesday, researchers noted that Skygofree is an aggressive malware that is being distributed by an Italian IT firm that is known for providing surveillance wares. Its new version contains over 48 unique commands, which shows that the malware has been through rigorous development process since the time it was developed in 2014.

Skygofree uses five different exploits to obtain privileged root access through which it can bypass Android security mechanisms. The malware is also capable of automatically recording conversations and noise whenever an infected device enters a location that has been specified by the attacker. Another unique feature is that it abuses the Android Accessibility Service the function of which is to help disabled users be able to use the device.

Moreover, it can connect to the infected device across Wi-Fi networks that are being controlled by operators of the malware; attackers are able to completely control infected devices remotely through reverse shell feature. This malware is equipped with various Windows components that contain this reverse shell, keylogger, and Skype conversation recording capability.

As per researchers at Kaspersky Labs, this malware is “one of the most advanced mobile implants [that] includes a number of advanced features not seen in the wild before.”

“Upon receiving a specific command, the implant can download a special payload to grab sensitive information from external applications. “The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for [WhatsApp] to be launched and then parses all nodes to find text messages,” explained the researchers.

The malware is being spread via webpages that seem like legitimate websites of mainstream mobile network operators such as Vodafone and Three. Users need to be cautious when they receive emails from unknown individuals or organizations or those emails that contain unexpected attachments. It is also important to make sure that authentic websites are being accessed and if there is any doubt about a webpage, it is a good idea to contact the service provider and verify the link.

Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is 'Do my best, so that I can't blame myself for anything.'