#############################
## ngCERT S E C U R I T Y A D V I S O R Y ##
#############################

ngCERT Advisory on SKYGOFREE exploit

Risk: MEDIUM

Damage: HIGH

Advisory ID: ngCERT-2018-005

Platforms: Android OS, Windows OS & MAC OSX Variant

Date: 20 February, 2018

Summary

SKYGOFREE is a malicious exploit that is targeted at Android Mobile devices, although MAC OSX and windows OS variants of the exploit also exists. SKYGOFREE is an exploit with about 48 different remote control capabilities. it is capable of tapping into text messages (SMS), emails, camera, photo gallery, GPS, voice calls, surrounding conversations and all functionality of an infected device.

Description and Consequences

SKYGOFREE is an exploit developed by Dark Caracal, a Lebanese based hacking group believed to be linked to the Lebanese government and have been engaged in cyber theft of gigabytes of data in over 21 different countries. SKYGOFREE has been around since 2015 and is used for espionage on a global scale. A research report released by a cybersecurity firm Lookout and the Electronic Frontier Foundation (EFF) shows evidence on how the group is linked to the Lebanese government.

SKYGOFREE android malware variant referred to as Pallas is a Trojanized version of legitimate mobile apps and it has been found in WhatsApp, Signal, Primo, Threema, Plus Messanger, Psiphon VPN, Orbot TOR proxy, fake Flash Player updates and fake Google Play Push apps. Pallas primarily depends on permissions granted to it on installation to access sensitive data on infected devices, according to Lookout/EFF report.

Solution
1. Stakeholders are advised to ensure all devices are kept up-to-date with latest patches and updates as soon as they are available.
2. Stakeholders are also advised to ensure trusted antivirus software is installed on devices and also kept up-to-date.
3. Only trusted and verified apps should be installed on devices. Which means stakeholders should avoid installing apps not found on the Google Play store on android devices.
4. Never allow personal (BYOD) devices on corporate networks unless they have been scanned and found to be clean.
5. Personal devices used for work should be controlled under a mobile device management policy.
6. If device is found to be infected, power-off the system using the hardware power switch on the device and disconnect the device from any connected network and report the incident to ngCERT via phone: 07044642378, email: incident@cert.gov.ng or using the Report an Incident Form on the ngCERT website: www.cert.gov.ng.

References

1. https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
2. https://www.csoonline.com/article/3250245/security/dark-caracal-hacking-group-targets-android-smartphones.html
3. https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news
4. https://www.lookout.com/info/ds-dark-caracal-ty
5. https://www.techrepublic.com/article/dark-caracal-hacking-group-has-stolen-hundreds-of-gigabytes-of-data-from-21-countries/