The new spyware, dubbed Skygofree because this name was found in one of the domains listed in its source code, is believed to have been initially developed in 2014.
Thereafter, according to Kaspersky, its functionality has improved. "...remarkable new features (have been) implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cyber criminals", the company said.
The spyware is spread from websites which host it. "We observed many Web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants," Kaspersky said. "These domains have been registered by the attackers since 2015."
The care taken in the coding was reflected in the fact that Skygofree was able to add itself to a list of protected apps on Huawei devices; such apps do not stop working even when the screen is off.
"Given the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that the developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like Hacking Team," Kaspersky noted.