A malicious software named Skygofree was used by cyber criminals to read encrypted WhatsApp messages and to force smartphones to spy on their surroundings, researchers have revealed.
Skygofree exploited an Android feature that made apps more accessible for people with disabilities to read anything displayed on the screen, including messages sent and received using encrypted messaging platforms like WhatsApp.
Last year, it came to light that WhatsApp had refused the government's request to create a back door to help the latter access encrypted messages and prevent terrorist attacks across the country. The government has been fighting tooth and nail with messaging firms like WhatsApp for some time, asking them to weaken end-to-end encryption as the feature is allegedly used by terrorists to plan attacks on innocent targets.
So far, it was believed that the real reason behind the feud between the government and WhatsApp was that there was no backdoor that could enable anyone to access messages sent and received on WhatsApp, including the firm itself.
Even though it has denied the government access to encrypted communications, WhatsApp regularly provides limited details to authorities like the name of an account, the date it was created, the last time it was accessed, the IP address of the device which was used to access it and the associated email address.
However, security researchers at Kaspersky Lab recently discovered that an Italian IT company has been able to find a way to access encrypted WhatsApp messages. According to the researchers, the firm created a malicious software to access data stored in smartphones and named it Skygofree after television service Sky Go to make customers believe that nothing was amiss.
Hackers behind the operation have been distributing Skygofree using fake websites designed to mimic websites owned by mobile network operators since 2014. Once the spyware infiltrates a mobile device, it performs a number of tasks like continuously tracking the location of the device, turning on audio recording when the owner is in a certain place, connecting the device to a Wi-Fi network controlled by the hackers to collect traffic, and continuing to operate even when the device has been placed on standby.
The spyware can also include itself in a device's list of favourite apps so that it can continue to function when all apps except for favourites are stopped to save battery or to improve device performance. At the same time, it exploits an accessibility feature in Android to read everything displayed on a screen, including content from popular apps such as Facebook Messenger, Skype, Viber, and WhatsApp.
'It’s a kind of “digital eye” that reads what’s displayed on the screen, and in the case of Skygofree, it collects messages from WhatsApp. Using Accessibility Services requires the user’s permission, but the malware hides the request for permission behind some other, seemingly innocent, request,' the researchers noted.
'Skygofree can secretly turn on the front-facing camera and take a shot when the user unlocks the device — one can only guess how the criminals will use these photos. However, the authors of the innovative Trojan did not dispense with more mundane features. Skygofree can also to intercept calls, SMS messages, calendar entries, and other user data,' they added.
The fact that the spyware has been collecting encrypted WhatsApp communications using deceptive means for years without being spotted by Google or WhatsApp signifies the nature of the threat faced by mobile phone users. While WhatsApp has been successful in protecting the sanctity of end-to-encryption so far, its developers failed to spot this loophole which has been so cleverly exploited by hackers.
To protect their devices from malicious trojans and spyware like Skygofree, Kaspersky Lab suggests that mobile device users should install apps only from official stores, pay attention to misspelled app names, small numbers of downloads, or dubious requests for permissions, and install reliable security solutions which will be able to catch most malicious apps and files, suspicious websites, and dangerous links.
Back in November, Google kicked out a number of malicious apps from its Play Store that belonged to a malware family named Tizi and were used by their creators to record calls from WhatsApp, Viber, and Skype, send and receive SMS messages, and access calendar events, call log, contacts, photos, Wi-Fi encryption keys, and a list of all installed apps. These apps could also record ambient audio and take pictures without displaying the image on the device's screen.
According to Google, if Android device users install the new Google Play Protect malware detection software and keep their devices updated with the latest security patches at all times, they will be protected from such malicious apps as older versions of Android and most security software cannot detect them.
However, security researchers have also suggested that Android device users should not rely fully on the stores’ protections, but should also check app ratings and comments and pay attention to what permissions they grant to apps.