SkyGoFree Trojan
SkyGoFree is a trojan that targets the Android operating system and has the capability to allow a remote attacker to gain full control of infected devices.
SkyGoFree is delivered through fake mobile carrier websites, where it is disguised as a system update. When launched by the user it removes its own icon, to appear as though the update has finished, but continues running in the background. It then attempts to gain root access to the infected device. SkyGoFree can also record audio, connect to hostile WiFi networks, steal WhatsApp messages and install additional malware.
Many web landing pages mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015.
After downloading and unpacking, the main module executes the exploit binary file. Once executed, the module attempts to get root privileges on the device by exploiting the following vulnerabilities:
CVE-2013-2094
CVE-2013-2595
CVE-2013-6282
CVE-2014-3153 (futex aka TowelRoot)
CVE-2015-3636
URL’s to block this been download (Do not visit the following URL’s) :-
http://217.194.13.133/tre/internet/Configuratore_3.apk
http://217.194.13.133/tre/internet/
http://217.194.13.133/190/configurazione/vodafone/smartphone/VODAFONE%20Configuratore%20v5_4_2.apk
http://217.194.13.133/190/configurazione/vodafone/smartphone/index.html
http://217.194.13.133/190/configurazione/vodafone/smartphone/Vodafone%20Configuratore.apk
http://217.194.13.133/190/configurazione/vodafone/smartphone/index.html
Affected Platforms
Google Android – All versions
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.