{
	"id": "0c897517-df9f-4add-827a-cc3f937025b5",
	"created_at": "2026-04-06T00:20:16.015579Z",
	"updated_at": "2026-04-10T03:21:57.302005Z",
	"deleted_at": null,
	"sha1_hash": "0dde64f31688363e1a4c031d418384a87078069f",
	"title": "Skygofree: Following in the footsteps of HackingTeam",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1185490,
	"plain_text": "Skygofree: Following in the footsteps of HackingTeam\r\nBy Nikita Buchka\r\nPublished: 2018-01-16 · Archived: 2026-04-05 15:12:16 UTC\r\nAt the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild.\r\nIn the course of further research, we found a number of related samples that point to a long-term development process. We\r\nbelieve the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the\r\nimplant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio\r\nsurroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via\r\nAccessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals.\r\nWe observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android\r\nimplants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the\r\ndistribution campaign was at its most active. The activities continue: the most recently observed domain was registered on\r\nOctober 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy.\r\nMoreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant\r\nfor exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the\r\nmoment we are not sure whether this implant has been used in the wild.\r\nWe named the malware Skygofree, because we found the word in one of the domains*.\r\nMalware Features\r\nAndroid\r\nAccording to the observed samples and their signatures, early versions of this Android malware were developed by the end\r\nof 2014 and the campaign has remained active ever since.\r\nSignature of one of the earliest versions\r\nThe code and functionality have changed numerous times; from simple unobfuscated malware at the beginning to\r\nsophisticated multi-stage spyware that gives attackers full remote control of the infected device. We have examined all the\r\ndetected versions, including the latest one that is signed by a certificate valid from September 14, 2017.\r\nThe implant provides the ability to grab a lot of exfiltrated data, like call records, text messages, geolocation, surrounding\r\naudio, calendar events, and other memory information stored on the device.\r\nAfter manual launch, it shows a fake welcome notification to the user:\r\nDear Customer, we’re updating your configuration and it will be ready as soon as possible.\r\nAt the same time, it hides an icon and starts background services to hide further actions from the user.\r\nService Name Purpose\r\nAndroidAlarmManager Uploading last recorded .amr audio\r\nAndroidSystemService Audio recording\r\nAndroidSystemQueues Location tracking with movement detection\r\nClearSystems GSM tracking (CID, LAC, PSC)\r\nClipService Clipboard stealing\r\nAndroidFileManager Uploading all exfiltrated data\r\nAndroidPush XMPP С\u0026C protocol (url.plus:5223)\r\nRegistrationService Registration on C\u0026C via HTTP (url.plus/app/pro/)\r\nInterestingly, a self-protection feature was implemented in almost every service. Since in Android 8.0 (SDK API 26) the\r\nsystem is able to kill idle services, this code raises a fake update notification to prevent it:\r\nhttps://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/\r\nPage 1 of 13\n\nCybercriminals have the ability to control the implant via HTTP, XMPP, binary SMS and FirebaseCloudMessaging (or\r\nGoogleCloudMessaging in older versions) protocols. Such a diversity of protocols gives the attackers more flexible control.\r\nIn the latest implant versions there are 48 different commands. You can find a full list with short descriptions in the\r\nAppendix. Here are some of the most notable:\r\n‘geofence’ – this command adds a specified location to the implant’s internal database and when it matches a device’s\r\ncurrent location the malware triggers and begins to record surrounding audio.\r\n”social” – this command that starts the ‘AndroidMDMSupport’ service – this allows the files of any other installed\r\napplication to be grabbed. The service name makes it clear that by applications the attackers mean MDM solutions\r\nthat are business-specific tools. The operator can specify a path with the database of any targeted application and\r\nserver-side PHP script name for uploading.\r\nSeveral hardcoded applications targeted by the MDM-grabbing command\r\n‘wifi’ – this command creates a new Wi-Fi connection with specified configurations from the command and enable\r\nWi-Fi if it is disabled. So, when a device connects to the established network, this process will be in silent and\r\nautomatic mode. This command is used to connect the victim to a Wi-Fi network controlled by the cybercriminals to\r\nperform traffic sniffing and man-in-the-middle (MitM) attacks.\r\naddWifiConfig method code fragments\r\n‘camera’ – this command records a video/capture a photo using the front-facing camera when someone next unlocks\r\nthe device.\r\nhttps://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/\r\nPage 2 of 13\n\nSome versions of the Skygofree feature the self-protection ability exclusively for Huawei devices. There is a ‘protected\r\napps’ list in this brand’s smartphones, related to a battery-saving concept. Apps not selected as protected apps stop working\r\nonce the screen is off and await re-activation, so the implant is able to determine that it is running on a Huawei device and\r\nadd itself to this list. Due to this feature, it is clear that the developers paid special attention to the work of the implant on\r\nHuawei devices.\r\nAlso, we found a debug version of the implant (70a937b2504b3ad6c623581424c7e53d) that contains interesting constants,\r\nincluding the version of the spyware.\r\nDebug BuildConfig with the version\r\nAfter a deep analysis of all discovered versions of Skygofree, we made an approximate timeline of the implant’s evolution.\r\nMobile implant evolution timeline\r\nHowever, some facts indicate that the APK samples from stage two can also be used separately as the first step of the\r\ninfection. Below is a list of the payloads used by the Skygofree implant in the second and third stages.\r\nReverse shell payload\r\nThe reverse shell module is an external ELF file compiled by the attackers to run on Android. The choice of a particular\r\npayload is determined by the implant’s version, and it can be downloaded from the command and control (C\u0026C) server soon\r\nafter the implant starts, or after a specific command. In the most recent case, the choice of the payload zip file depends on\r\nthe device process architecture. For now, we observe only one payload version for following the ARM CPUs: arm64-v8a,\r\narmeabi, armeabi-v7a.\r\nNote that in almost all cases, this payload file, contained in zip archives, is named ‘setting’ or ‘setting.o’.\r\nThe main purpose of this module is providing reverse shell features on the device by connecting with the C\u0026C server’s\r\nsocket.\r\nhttps://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/\r\nPage 3 of 13\n\nReverse shell payload\r\nThe payload is started by the main module with a specified host and port as a parameter that is hardcoded to ‘54.67.109.199’\r\nand ‘30010’ in some versions:\r\nAlternatively, they could be hardcoded directly into the payload code:\r\nWe also observed variants that were equipped with similar reverse shell payloads directly in the main APK /lib/ path.\r\nEquipped reverse shell payload with specific string\r\nAfter an in-depth look, we found that some versions of the reverse shell payload code share similarities with PRISM – a\r\nstealth reverse shell backdoor that is available on Github.\r\nhttps://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/\r\nPage 4 of 13\n\nReverse shell payload from update_dev.zip\r\nExploit payload\r\nAt the same time, we found an important payload binary that is trying to exploit several known vulnerabilities and escalate\r\nprivileges. According to several timestamps, this payload is used by implant versions created since 2016. It can also be\r\ndownloaded by a specific command. The exploit payload contains following file components:\r\nComponent name Description\r\nrun_root_shell/arrs_put_user.o/arrs_put_user/poc Exploit ELF\r\ndb Sqlite3 tool ELF\r\ndevice.db\r\nSqlite3 database with supported devices and their constants needed\r\nfor privilege escalation\r\n‘device.db’ is a database used by the exploit. It contains two tables – ‘supported_devices’ and ‘device_address’. The first\r\ntable contains 205 devices with some Linux properties; the second contains the specific memory addresses associated with\r\nthem that are needed for successful exploitation. You can find a full list of targeted models in the Appendix.\r\nFragment of the database with targeted devices and specific memory addresses\r\nIf the infected device is not listed in this database, the exploit tries to discover these addresses programmatically.\r\nAfter downloading and unpacking, the main module executes the exploit binary file. Once executed, the module attempts to\r\nget root privileges on the device by exploiting the following vulnerabilities:\r\nCVE-2013-2094\r\nCVE-2013-2595\r\nCVE-2013-6282\r\nCVE-2014-3153 (futex aka TowelRoot)\r\nCVE-2015-3636\r\nhttps://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/\r\nPage 5 of 13\n\nExploitation process\r\nAfter an in-depth look, we found that the exploit payload code shares several similarities with the public project android-rooting-tools.\r\nDecompiled exploit function code fragment\r\nhttps://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/\r\nPage 6 of 13\n\nrun_with_mmap function from the android-rooting-tools project\r\nAs can be seen from the comparison, there are similar strings and also a unique comment in Italian, so it looks like the\r\nattackers created this exploit payload based on android-rooting-tools project source code.\r\nBusybox payload\r\nBusybox is public software that provides several Linux tools in a single ELF file. In earlier versions, it operated with shell\r\ncommands like this:\r\nStealing WhatsApp encryption key with Busybox\r\nActually, this is not a standalone payload file – in all the observed versions its code was compiled with exploit payload in\r\none file (‘poc_perm’, ‘arrs_put_user’, ‘arrs_put_user.o’). This is due to the fact that the implant needs to escalate privileges\r\nbefore performing social payload actions. This payload is also used by the earlier versions of the implant. It has similar\r\nfunctionality to the ‘AndroidMDMSupport’ command from the current versions – stealing data belonging to other installed\r\napplications. The payload will execute shell code to steal data from various applications. The example below steals\r\nFacebook data:\r\nAll the other hardcoded applications targeted by the payload:\r\nPackage name Name\r\njp.naver.line.android LINE: Free Calls \u0026 Messages\r\ncom.facebook.orca Facebook messenger\r\ncom.facebook.katana Facebook\r\ncom.whatsapp WhatsApp\r\nhttps://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/\r\nPage 7 of 13\n\ncom.viber.voip Viber\r\nParser payload\r\nUpon receiving a specific command, the implant can download a special payload to grab sensitive information from external\r\napplications. The case where we observed this involved WhatsApp.\r\nIn the examined version, it was downloaded from:\r\nhxxp://url[.]plus/Updates/tt/parser.apk\r\nThe payload can be a .dex or .apk file which is a Java-compiled Android executable. After downloading, it will be loaded by\r\nthe main module via DexClassLoader api:\r\nAs mentioned, we observed a payload that exclusively targets the WhatsApp messenger and it does so in an original way.\r\nThe payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so\r\nit waits for the targeted application to be launched and then parses all nodes to find text messages:\r\nNote that the implant needs special permission to use the Accessibility Service API, but there is a command that performs a\r\nrequest with a phishing text displayed to the user to obtain such permission.\r\nWindows\r\nWe have found multiple components that form an entire spyware system for the Windows platform.\r\nName MD5 Purpose\r\nmsconf.exe 55fb01048b6287eadcbd9a0f86d21adf Main module, reverse shell\r\nnetwork.exe f673bb1d519138ced7659484c0b66c5b Sending exfiltrated data\r\nsystem.exe d3baa45ed342fbc5a56d974d36d5f73f Surrounding sound recording by mic\r\nupdate.exe 395f9f87df728134b5e3c1ca4d48e9fa Keylogging\r\nwow.exe 16311b16fd48c1c87c6476a455093e7a Screenshot capturing\r\nskype_sync2.exe 6bcc3559d7405f25ea403317353d905f Skype call recording to MP3\r\nhttps://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/\r\nPage 8 of 13\n\nAll modules, except skype_sync2.exe, are written in Python and packed to binary files via the Py2exe tool. This sort of\r\nconversion allows Python code to be run in a Windows environment without pre-installed Python binaries.\r\nmsconf.exe is the main module that provides control of the implant and reverse shell feature. It opens a socket on the\r\nvictim’s machine and connects with a server-side component of the implant located at 54.67.109.199:6500. Before\r\nconnecting with the socket, it creates a malware environment in ‘APPDATA/myupd’ and creates a sqlite3 database there –\r\n‘myupd_tmp\\\\mng.db’:\r\nCREATE TABLE MANAGE(ID INT PRIMARY KEY NOT NULL,Send INT NOT NULL, Keylogg INT NOT\r\nNULL,Screenshot INT NOT NULL,Audio INT NOT NULL);\r\nINSERT INTO MANAGE (ID,Send,Keylogg,Screenshot,Audio) VALUES (1, 1, 1, 1, 0 )\r\nFinally, the malware modifies the ‘Software\\Microsoft\\Windows\\CurrentVersion\\Run’ registry key to enable autostart of the\r\nmain module.\r\nThe code contains multiple comments in Italian, here is the most noteworthy example:\r\n“Receive commands from the remote server, here you can set the key commands to command the virus”\r\nHere are the available commands:\r\nName Description\r\ncd Change current directory to specified\r\nquit Close the socket\r\nnggexe Execute received command via Python’s subprocess.Popen() without outputs\r\nngguploads Upload specified file to the specified URL\r\nnggdownloads Download content from the specified URLs and save to specified file\r\nnggfilesystem Dump file structure of the C: path, save it to the file in json format and zip it\r\nnggstart_screen\r\nnggstop_screen\r\nEnable/disable screenshot module. When enabled, it makes a screenshot every 25 seconds\r\nnggstart_key\r\nnggstop_key\r\nEnable/disable keylogging module\r\nnggstart_rec\r\nnggstop_rec\r\nEnable/disable surrounding sounds recording module\r\nngg_status Send components status to the C\u0026C socket\r\n*any other*\r\nExecute received command via Python’s subprocess.Popen(), output result will be sent to the C\u0026C\r\nsocket.\r\nAll modules set hidden attributes to their files:\r\nModule Paths Exfiltrated data format\r\nmsconf.exe %APPDATA%/myupd/gen/ %Y%m%d-%H%M%S_filesystem.zip (file structure dump)\r\nsystem.exe %APPDATA%/myupd/aud/ %d%m%Y%H%M%S.wav (surrounding sounds)\r\nupdate.exe\r\n%APPDATA%/myupd_tmp/txt/\r\n%APPDATA%/myupd/txt/ %Y%m%d-%H%M%S.txt (keylogging)\r\nwow.exe %APPDATA%/myupd/scr/ %Y%m%d-%H%M%S.jpg (screenshots)\r\nskype_sync2.exe\r\n%APPDATA%/myupd_tmp/skype/\r\n%APPDATA%/myupd/skype/\r\nyyyyMMddHHmmss_in.mp3\r\nyyyyMMddHHmmss_out.mp3\r\n(skype calls records)\r\nhttps://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/\r\nPage 9 of 13\n\nMoreover, we found one module written in .Net – skype_sync2.exe. The main purpose of this module is to exfiltrate Skype\r\ncall recordings. Just like the previous modules, it contains multiple strings in Italian.\r\nAfter launch, it downloads a codec for MP3 encoding directly from the C\u0026C server:\r\nhttp://54.67.109.199/skype_resource/libmp3lame.dll\r\nThe skype_sync2.exe module has a compilation timestamp – Feb 06 2017 and the following PDB string:\r\n\\\\vmware-host\\Shared\r\nFolders\\dati\\Backup\\Projects\\REcodin_2\\REcodin_2\\obj\\x86\\Release\\REcodin_2.pdb\r\nnetwork.exe is a module for submitting all exfiltrated data to the server. In the observed version of the implant it doesn’t\r\nhave an interface to work with the skype_sync2.exe module.\r\nnetwork.exe submitting to the server code snippet\r\nCode similarities\r\nWe found some code similarities between the implant for Windows and other public accessible projects.\r\nhttps://github.com/El3ct71k/Keylogger/\r\nIt appears the developers have copied the functional part of the keylogger module from this project.\r\nupdate.exe module and Keylogger by ‘El3ct71k’ code comparison\r\nhttps://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/\r\nPage 10 of 13\n\nXenotix Python Keylogger including specified mutex ‘mutex_var_xboz’.\r\nupdate.exe module and Xenotix Python Keylogger code comparison\r\n‘addStartup’ method from msconf.exe module\r\n‘addStartup’ method from Xenotix Python Keylogger\r\nDistribution\r\nWe found several landing pages that spread the Android implants.\r\nMalicious URL Referrer\r\nhttp://217.194.13.133/tre/internet/Configuratore_3.apk http://217.194.13.133/tre\r\nhttp://217.194.13.133/appPro_AC.apk –\r\nhttp://217.194.13.133/190/configurazione/vodafone/smartphone/VODAFONE%20Configuratore%20v5_4_2.apk http://217.194.13.133/19\r\nhttp://217.194.13.133/190/configurazione/vodafone/smartphone/Vodafone%20Configuratore.apk http://217.194.13.133/19\r\nhttp://vodafoneinfinity.sytes.net/tim/internet/Configuratore_TIM.apk http://vodafoneinfinity.sy\r\nhttp://vodafoneinfinity.sytes.net/190/configurazione/vodafone/smartphone/VODAFONE%20Configuratore%20v5_4_2.apk http://vodafoneinfinity.sy\r\nhttp://windupdate.serveftp.com/wind/LTE/WIND%20Configuratore%20v5_4_2.apk http://windupdate.serveft\r\nhttp://119.network/lte/Internet-TIM-4G-LTE.apk http://119.network/lte/do\r\nhttps://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/\r\nPage 11 of 13\n\nhttp://119.network/lte/Configuratore_TIM.apk\r\nMany of these domains are outdated, but almost all (except one – appPro_AC.apk) samples located on the 217.194.13.133\r\nserver are still accessible. All the observed landing pages mimic the mobile operators’ web pages through their domain name\r\nand web page content as well.\r\nLanding web pages that mimic the Vodafone and Three mobile operator sites\r\nNETWORK CONFIGURATION\r\n** AGG. 2.3.2015 ***\r\nDear Customer, in order to avoid malfunctions to your internet connection, we encourage you to upgrade your configuration.\r\nDownload the update now and keep on navigating at maximum speed!\r\nDOWNLOAD NOW\r\nDo you doubt how to configure your smartphone?\r\nFollow the simple steps below and enter the Vodafone Fast Network.\r\nInstallation Guide\r\nDownload\r\nClick on the DOWNLOAD button you will find on this page and download the application on your smartphone.\r\nSet your Smartphone\r\nGo to Settings-\u003e Security for your device and put a check mark on Unknown Sources (some models are called Sources\r\nUnknown).\r\nInstall\r\nGo to notifications on your device (or directly in the Downloads folder) and click Vodafone Configuration Update to install.\r\nTry high speed\r\nRestart your device and wait for confirmation sms. Your smartphone is now configured.\r\nFurther research of the attacker’s infrastructure revealed more related mimicking domains.\r\nUnfortunately, for now we can’t say in what environment these landing pages were used in the wild, but according to all the\r\ninformation at our dsiposal, we can assume that they are perfect for exploitation using malicious redirects or man-in-the-middle attacks. For example, this could be when the victim’s device connects to a Wi-Fi access point that is infected or\r\ncontrolled by the attackers.\r\nArtifacts\r\nhttps://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/\r\nPage 12 of 13\n\nDuring the research, we found plenty of traces of the developers and those doing the maintaining.\r\nAs already stated in the ‘malware features’ part, there are multiple giveaways in the code. Here are just some of them:\r\nngglobal – FirebaseCloudMessaging topic name\r\nIssuer: CN = negg – from several certificates\r\nnegg.ddns[.]net, negg1.ddns[.]net, negg2.ddns[.]net – C\u0026C servers\r\nNG SuperShell – string from the reverse shell payload\r\nngg – prefix in commands names of the implant for Windows\r\nSignature with specific issuer\r\nWhois records and IP relationships provide many interesting insights as well. There are a lot of other ‘Negg’\r\nmentions in Whois records and references to it. For example:\r\nConclusions\r\nThe Skygofree Android implant is one of the most powerful spyware tools that we have ever seen for this platform. As a\r\nresult of the long-term development process, there are multiple, exceptional capabilities: usage of multiple exploits for\r\ngaining root privileges, a complex payload structure, never-before-seen surveillance features such as recording surrounding\r\naudio in specified locations.\r\nGiven the many artifacts we discovered in the malware code, as well as infrastructure analysis, we are pretty confident that\r\nthe developer of the Skygofree implants is an Italian IT company that works on surveillance solutions, just like\r\nHackingTeam.\r\nNotes\r\n*Skygofree has no connection to Sky, Sky Go or any other subsidiary of Sky, and does not affect the Sky Go service or app.\r\n Skygofree Appendix — Indicators of Compromise (PDF)\r\nSource: https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/\r\nhttps://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/\r\nPage 13 of 13\n\nupdate.exe wow.exe 395f9f87df728134b5e3c1ca4d48e9fa 16311b16fd48c1c87c6476a455093e7a  Keylogging Screenshot capturing \nskype_sync2.exe 6bcc3559d7405f25ea403317353d905f  Skype call recording to MP3\n  Page 8 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
	],
	"report_names": [
		"83603"
	],
	"threat_actors": [],
	"ts_created_at": 1775434816,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0dde64f31688363e1a4c031d418384a87078069f.pdf",
		"text": "https://archive.orkl.eu/0dde64f31688363e1a4c031d418384a87078069f.txt",
		"img": "https://archive.orkl.eu/0dde64f31688363e1a4c031d418384a87078069f.jpg"
	}
}