SkyGoFree malware spies on your Android phone and your messages

Android threat-of-the-year so far in 2018, at least if you measure by media interest, is the curiously-named SkyGoFree malware.

(The name was apparently invented by researchers at Kaspersky, simply because they “found the word in one of the domains” used in one of the samples they looked at – the malware isn’t targeted at users of the telecommunications company Sky or its Sky Go TV product.)

In one word, SkyGoFree (or SkyFree as Sophos products detect it) is easily described: spyware.

A quick look in the decompiled Java code of the malware reveals the range of data it knows how to steal:

  . . .
  public static final String URL_UPLOAD_CAMERA = "upload_camera.php";
  public static final String URL_UPLOAD_CELL_INFO = "upload_cella.php";
  public static final String URL_UPLOAD_FILESYSTEM = "upload_filesystem.php";
  public static final String URL_UPLOAD_FILE_SEND = "upload_documents.php";
  public static final String URL_UPLOAD_HISTORY = "upload_history.php";
  public static final String URL_UPLOAD_INFO_TEL = "upload_info_tel.php";
  public static final String URL_UPLOAD_LISTAPP = "upload_listapp.php";
  public static final String URL_UPLOAD_REG_CALL = "upload_reg_call.php";
  public static final String URL_UPLOAD_RUBRICA = "upload_rubrica.php";
  public static final String URL_UPLOAD_SMS = "upload_sms.php";
  public static final String URL_UPLOAD_WHATSAPP_SMS = "upload_whatsapp_msg.php";
  . . .

RUBRICA, in case you are wondering, is Italian for ADDRESS BOOK. A lot of the code seems to have been written by Italian speakers – the lines above come from a source file called, which would be in English.

There’s loads more treacherous functionality in the malware, including a function called StartReverse() that connects your phone up to a server run by the crooks to given them what’s called a reverse shell.

Normally, to logon into a command prompt (known in Unix and Linux as a shell) you need to initiate a connection to a device, which means getting through any firewalls and network address translation that’s in the way.

Many mobile networks, and almost all Wi-Fi networks, let you make outbound connections to other people, but don’t let others connect inbound directly to you – you’re supposed to be a data consumer (client) on the the network, not a data producer (server).

Hackers get around this with a reverse shell: a common intrusion trick that turns the logon process on its head.

Your device initiates the connection outwards to the crooks, but only to set the connection up; after that, your device acts as the server, with the crooks hooked up as clients, “logged in” with direct control over your phone.

SkyGoFree also includes a feature – if that is the right word – that it calls Social to let the crooks grab data from numerous other apps on your device.

Here’s an edited fragment of the code that tries to steal your social networking data (don’t worry if you don’t understand Java – this is just by way of illustration):

  . . .
  mMap.put("messenger", new Social("/data/data/com.facebook.orca/databases/", new String[] { "upload_facebook_chat.php" }));
  mMap.put("facebook", new Social("/data/data/com.facebook.katana/databases/", new String[] { "upload_facebook_search.php", "upload_facebook_contacts.php" }));
  mMap.put("whatsapp", new Social("/data/data/com.whatsapp/databases/", new String[] { "upload_whatsapp_msgstore.php", "upload_whatsapp_contacts.php" }));
  mMap.put("gmail", new Social("/data/data/", new String[] { "upload_email_gmail.php" }));
  mMap.put("mlite", new Social("/data/data/com.facebook.mlite/databases/", new String[] { "upload_messengerlite_chat.php" }));
  . . .

The good news is that on a regular Android phone, apps can’t blindly read each other’s data.

Unless you have rooted your device, or have an old or unpatched phone with a security hole that allows malware to root your phone automatically and secretly in the background, this part of the malware won’t work.

SkyGoFree also has a component that can call home to download and install additional modules – a sort-of plugin system for the malware. (When we investigated, the addon files that the malware was looking for were offline.)

Malware is often programmed so that it can update or extend itself, which makes the threat even more serious: neither you, nor researchers, can ever be sure in advance exactly what the crooks might decide to do with infected devices in the future.

What to look for

The sample we examined pretends to be a “System Update”, using a green Android icon:

If you launch the app, it starts running in the background but almost immediately removes its own icon to give you the impression that the “update” has finished.

Fortunately, the app still shows up on the System | Apps page, where you can stop it and uninstall it:

We haven’t received any reports of this malware from the wild, and it isn’t – and as far as we know, never was – in Google Play, so you’d have to go to the Settings | Security page and turn on the non-default option to Allow installation of apps from unknown sources to get infected:

Google Play is not the virus-free walled garden that you might have been led to believe, but it is still far safer than accepting apps from unknown sources such as alternative markets, unregulated Android forums or links sent to you by friends.

What to do?

  • Stick to Google Play. If you need to go off-market for a specific app, go back into Settings | Security after installing it and turn Allow unknown sources off again.
  • Use an Android anti-virus. Products like the free Sophos Mobile Security for Android will help you block malware and warn you about insecure settings on your device.
  • Don’t trust system updates offered by third parties. Be especially cautious of “updates” that claim to offer additional features or services not available officially.