Security researchers have discovered a new type of Android spyware that uses techniques ‘previously unseen in the wild’ to record the activity of WhatsApp users.
The new malware, called Skygofree, was first spotted by anti-virus firm Kapersky Lab this fall – but, they say it has likely been in development since 2014.
Skygofree can carry out a number of remote commands, including taking pictures or videos with the affected device, and even recording audio when the user enters a specified location.
According to a new
report
from the researchers at Kapersky Lab, Skygofree is likely the creation of an Italian IT company, with ‘several’ affected devices found so far only in Italy.
It’s thought the malware was first made three years ago, and has continually improved since.
Now, it has several advanced features that haven’t been seen anywhere else.
The malware is able to carry out location-based audio recordings, meaning it can automatically begin recording the device’s surroundings when that device enters a specified place.
It can also spy on messages using the Accessibility Services, and connect different infected devices to 'Wi-Fi networks controlled by cybercriminals,' the Kapersky team says.
"The Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform," the researchers wrote.
"As a result of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for gaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding audio in specified locations."
The Kapersky researchers say they’ve identified several web landing pages that spread the implant by mimicking the pages of mobile operators.
While most of the domains are outdated, the firm says almost all remain accessible, and mimic both domain name and page content.
"Unfortunately, for now we can’t say in what environment these landing pages were used in the wild, but according to all the information at our disposal, we can assume that they are perfect for exploitation using malicious redirects or man-in-the-middle attacks," the researchers wrote.
"For example, this could be when the victim’s device connects to a Wi-Fi access point that is infected or controlled by the attackers."
The new report comes just a week after WhatsApp was revealed to have a huge design flaw, which allows anyone to infiltrate private group chats despite its ‘end-to-end encryption.’
The study, presented at the Real World Crypto security conference in Zurich, Switzerland, by a group of researchers from Ruhr University Bochum in Germany, found that anyone with control over WhatsApp's servers can add people to private group chats, including staff, hackers and governments who legally demand access.
In response, however, Facebook's Chief Security Officer Alex Stamos wrote on Twitter that the bug is not effective because WhatsApp users are notified when new members join conversations.