Ready to Start Your Career?

Understanding SkyGoFree

cybergary 's profile image

By: cybergary

May 8, 2019

Remote Access Trojans, or RATs, have been a key part of the cybersecurity landscape for many years. These remote tools are covertly deployed on target devices. Once installed, the program allows extensive control and surveillance through the device. In a world of smartphones and mobile computers, a mobile Remote Access Trojan boasts many unique features and capabilities. SkyGoFree is a widespread Remote Access Trojan for mobile devices, and this section will explore the program in detail. We’ll review the history of SkyGoFree, its many features and functions, and the essentials of how it is prevented and installed.Kaspersky Labs claims to have first discovered the program in October of 2017. The team posits that the software has been around since late 2014, and that 2015 was the time of the most widespread distribution. The program was named SkyGoFree as a result of one of the domain names used by the malware. Version updates continued well past 2014, and the latest update was early in September of 2017. Some unintentionally personably identifiable information was left behind in the code of the program, and a simple analysis reveals some insight into its history of development. The program had registered a domain, “”, through Negg International IT firm based out of Rome, Italy. The program began in 2014 as simple, undisguised malware. However, as time went on it evolved into a highly-sophisticated spyware tool with multiple stages and a laundry list of features.The core functions of SkyGoFree are disguised in the background as innocuous-sounding Android services. AndroidAlarmManager, AndroidSystemService, and AndroidSystemQueues are all hidden components of SkyGoFree that are used to collect and exfiltrate sensitive data. AndroidAlarmManager is a process that uploads audio files that are passively and automatically recorded by the phone’s microphone. AndroidSystemService is the process that makes the recordings from audio input devices. On top of this, AndroidSystemQueues automatically tracks the phone’s location when the accelerometer detects movement. ClearSystems tracks the phone’s GSM (Global System for Mobile Communications) to provide further location data. Clip service copies data stored to the clipboard, and AndroidPush and RegistrationService are used to access and control the program remotely. Lastly, AndroidFileManager is a hidden process that uploads all that data collected by SkyGoFree. Advanced commands allow further configuration of the spyware program. The attacker can trigger events when the phone is in a particular location, access the device’s camera, and steal data from other applications such as Facebook and WhatsApp. An attacker with SkyGoFree installed on their target’s device can instantly track the user’s location, listen in through their microphone, view their environment through the camera, monitor communications from social media platforms, and exfiltrate all of it without the target knowing. Audio recordings can be triggered by location, so an attacker could use an unsuspecting network of infected devices to surveil a specific location. SkyGoFree is a dangerous tool at the intersection of Remote Access Trojans and mobile computing, preventing installations is a matter of understanding how it is deployed and spread.SkyGoFree was spread between devices through a process that is not unlike phishing. The attacker hosted several custom web pages that were designed to look like messages from an official phone service provider. In this case, the malware files are disguised as mobile updates from Vodafone that “configure” your smartphone and increase your internet connection speed. However, SkyGoFree is installed on the target’s device when they download and install the “system update”.In short, SkyGoFree is a powerful, easily distributed surveillance tool for mobile devices. Once installed, the attacker has free access to system functions, the camera, microphone, location data, and even keypresses. Disguised as benign system updates, preventing the installation of SkyGoFree is as simple as acquiring it. Preventing spyware is mostly a matter of avoiding sketchy updates from unknown sources. Users that are familiar with the aforementioned web pages can easily avoid the malware by recognition alone. However, the tool remains an important threat to mobile devices.TL;DRSkyGoFree is a powerful Remote Access Trojan designed for mobile devices. Capable of monitoring all facets of a mobile device, SkyGoFree is installed through deceptive updates and spread covertly. This article explores the origins, functions, and prevention of this infamous mobile malware program.
Schedule Demo