Security firms spot new malware variations all the time, but most of them aren't very sophisticated. They don't have to be to spam ads or track your location. However, the newly identified Skygofree is in a completely different league. According to Kaspersky, this piece of malware possesses features never before seen in the wild.

This rogue app spreads from webpages designed to look like those of carriers like Vodafone. Users are tricked into installing the APK to get faster network access. Of course, they don't get any such thing. Once installed, the malware can track a device's location and record audio only in certain places. It also plugs into popular messaging apps like WhatsApp and Skype to monitor conversations. The included reverse shell gives attackers full remote control of the target device as well.

Skygofree appears to be an offensive trojan sold by an Italian security outfit. It was first spotted in 2014, but that early version bears little resemblance to the current multi-function monster. It's become more of an espionage tool than a simple piece of malware.


So, that's all the doom and gloom. The good news is you probably don't have to fret about Skygofree. As long as you don't install sketchy APKs, it's impossible to become infected with Skygofree. Even if you did install it, your device is probably already immune to its more malicious features. Skygofree needs root on the device to do the really nasty stuff, and the creators bundled five known exploits to get it. Here they are.

CVE-2013-2094 (Linux kernel priv escalation)
CVE-2013-2595 (Linux kernel priv escalation)
CVE-2013-6282 (Linux kernel get_user exploit)
CVE-2014-3153 (TowelRoot)
CVE-2015-3636 (PingPong root)

You probably recognize some of those, but they're all ancient at this point. Android has been patched to block these exploits for years. As long as the target phone is running an even semi-recent build of Android, Skygofree will fail to gain a foothold. If you're interested in a technical rundown of the malware, check the Kaspersky SecureList post.