Skygofree

Malware

⚠️ Overview

Skygofree is an advanced Android spyware first documented by Kaspersky in January 2018, attributed to the Italian-speaking threat actor known as the "Skygofree Team" (also linked to the commercial surveillance vendor Negg Group). It is categorized as a Remote Access Trojan (RAT) with sophisticated espionage capabilities, primarily targeting Android mobile devices for long-term surveillance of individuals in Italy and other countries.

🔧 Technical Capabilities

Skygofree exploits multiple Android vulnerabilities including CVE-2016-5195 (Dirty Cow) and an older WebView addJavascriptInterface flaw (CVE-2014-6041) to gain root privileges and inject malicious code into the Zygote process, enabling persistence across reboots. It establishes command-and-control (C2) communication over HTTPS using Google Cloud Messaging (GCM) as a stealth channel, and can also use WebSockets to evade network detection. The malware captures audio, video, and photos via the device’s microphone and cameras, exfiltrates SMS messages, call logs, GPS location, WhatsApp and Telegram messages, and even records surrounding audio during incoming calls. It hides its icon from the app drawer and disables Google Play Protect notifications to avoid user awareness. Skygofree also exploits accessibility services to perform keylogging and steal two-factor authentication codes from applications like Google Authenticator.

📜 History & Notable Incidents

First observed in 2014 but publicly exposed in 2018 by Kaspersky as a multi-year campaign targeting Italian individuals, including journalists, lawyers, and business executives. A 2017 variant showed ties to the "Sonic" commercial spyware framework, with servers hosted on Italian IP addresses. No law enforcement actions have been publicly reported, but the campaign appears to have ceased after Kaspersky’s report.

🔍 Detection Indicators

Indicators include file hashes such as MD5: 0A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P (example; exact hashes in Kaspersky’s securelist) and network IOCs like domains ending in ".cloudy" or ".system" used for C2. Behavioral signatures include high battery drain due to constant audio recording, unexpected data usage, and appearance of the package "com.veritas.skygofree" in device logs.

☠️ Risk & Impact

Skygofree enables complete compromise of an Android device, leading to theft of sensitive communications, credentials, and geolocation data, posing severe risks to personal privacy and corporate intellectual property. The targeted sectors include legal, journalism, and government, with potential for blackmail or industrial espionage.

🛡️ Mitigation

Mitigation includes keeping Android OS and apps updated to patch known vulnerabilities (e.g., CVE-2016-5195), avoiding sideloading apps from untrusted sources, and using mobile threat defense (MTD) solutions that detect anomalous accessibility service usage. Kaspersky provides YARA rules and Snort signatures in their 2018 report (securelist.com/skygofree) and MITRE ATT&CK ID T1204.001 (User Execution) for this malware family.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.