Highly advanced spyware that’s capable of stealing WhatsApp messages from victims has been discovered by cyber security researchers.

The malware can “spy extensively” on people, and force their phones to record audio and video and take pictures, and steal text messages and call records, all “without arousing suspicion”, the researchers say.

It has been dubbed “Skygofree”, but it has no connection to Sky or any of its products, and does not affect the Sky Go service. 

Kaspersky Lab describes it as “one of the most advanced mobile implants” it has ever come across, and says it “includes a number of advanced features not seen in the wild before”, which can give an attacker full remote control of an infected device.

One of its most noteworthy features is the ability to steal WhatsApp messages, by making use of the Accessibility Services feature on Android. It doesn’t take advantage of any vulnerabilities in the messenger app itself.

“Upon receiving a specific command, the implant can download a special payload to grab sensitive information from external applications,” Kaspersky Lab says, adding that it found a payload that exclusively targets WhatsApp.

“The payload uses the Android Accessibility Service to get information directly from the displayed elements on the screen, so it waits for [WhatsApp] to be launched and then parses all nodes to find text messages.”

Though it requires a special permission from a victim to carry out the message theft, it can obtain this through the delivery of a deceptive phishing message. 

Skygofree can also “eavesdrop on surrounding conversations and noise when an infected device enters a specified location – a feature that has not previously been seen in the wild”, the researchers say.

The malware can enable an infected phone’s microphone and force it to record everything going on around it.

Kaspersky Lab says it is also capable of taking pictures and videos, seizing call records, text messages, geolocation data, calendar events and business-related information stored in the device’s memory.

The researchers found 48 different commands that can be implemented by attackers, which are listed here. 

They say the malware has been active since 2014 and that the campaign is still ongoing. It has successfully infected “several” victims, all of whom are based in Italy, and is targeting Android and Windows users.

Kaspersky Lab says it has “a high level of confidence that the developer behind the Skygofree implants is an Italian IT company that offers surveillance solutions”, adding that the malware was designed for “targeted cyber-surveillance”.

• READ MIt is 

“If in doubt, call the service provider to verify.”

Hackers Can Steal Data From Air-Gapped Computers Through Powerlines

Do you think it is possible to extract data from a computer using its power cables?

If no, then you should definitely read about this technique.

Researchers from Israel's Ben Gurion University of the Negev—who majorly focus on finding clever ways to exfiltrate data from an isolated or air-gapped computer—have now shown how fluctuations in the current flow "propagated through the power lines" could be used to covertly steal highly sensitive data.

Air-gapped computers are those that are isolated from the Internet and local networks and therefore, are believed to be the most secure devices that are difficult to infiltrate or exfiltrate data.

"As a part of the targeted attack, the adversary may infiltrate the air-gapped networks using social engineering, supply chain attacks, or malicious insiders. Note that several APTs discovered in the last decade are capable of infecting air-gapped networks, e.g., Turla, RedOctober, and Fanny," researchers said.

"However, despite the fact that breaching air-gapped systems has been shown feasible, the exfiltration of data from an air-gapped system remains a challenge."

Dubbed PowerHammer, the latest technique involves controlling the CPU utilization of an air-gapped computer using a specially designed malware and creating fluctuations in the current flow in morse-code-like pattern to transfer data hints in binary form (i.e., 0 and 1).

In order to retrieve modulated binary information, an attacker needs to implant hardware to monitor the current flow being transmitted through the power lines (to measure the emission conducted) and then decodes the exfiltrated data.

"We show that a malware running on a computer can regulate the power consumption of the system by controlling the workload of the CPU. Binary data can be modulated on the changes of the current flow, propagated through the power lines, and intercepted by an attacker," researchers said.

According to the researchers, attackers can exfiltrate data from the computer at a speed of 10 to 1,000 bits-per-second, depending upon their approach.
The higher speed would be achieved if attackers are able to compromise the power lines inside the target building that connects the computer. This attack has been called "line-level powerhammering."

The slower speed is achieved in "phase-level powerhammering" that that can be exploited from the outside electrical service panel of a building.

In both variants of the attack, the attacker measures and encodes the emission conducted and then decodes the exfiltrated data.

With the line-level PowerHammering attack, researchers were able to exfiltrate data from a PC running an Intel Haswell-era quad-core processor at the rate of 1000 bits/second and an Intel Xeon E5-2620-powered server at 100 bits/second, both with a zero percent error rate.

The phase-level variant attack suffers performance degradation. Due to the background noise in the phase level, (since power is shared with everything else connected, such as appliances and lights), the researchers could achieve speeds up to 3 bits/second at a zero percent error rate, though this increased to 4.2% at speeds of 10 bits/second.

"The results indicate that in the phase level power-hammering attack, desktop computers could only be used to exfiltrate small amount of data such as passwords, credential tokens, encryption keys, and so on," the researchers said.

For more details on the PowerHammer attack, you can head onto the paper [PDF] titled, 'PowerHammer: Exfiltrating Data from Air-Gapped Computers through Power Lines.'