Now that Google has learned to scrutinize Android apps, refusing to distribute most of the apps that contain malware through the Google Play store, makers of malware targeted at specific institutions and groups have learned to postpone their malware downloads until after the apps have been installed and configured. That way, Google doesn't get the opportunity to detect the malware beforehand, and the innocent-appearing app can acquire all the privileges it needs to download and activate the malware once the target's defenses are down.
“Fake Android Apps Used for Targeted Surveillance Found in Google Play”
Zack Whittaker, Zero Day, April 16, 2018
“Skygofree: Following in the Footsteps of HackingTeam”
Nikita Buchka and Alexey Firsh, Securelist, Kaspersky Labs, January 16, 2018
“Found: New Android Malware with Never-Before-Seen Spying Capabilities”
Dan Goodin, Ars Technica, January 16, 2018
Skygofree is capable of taking pictures, capturing video, and seizing call records, text messages, geolocation data, calendar events, and business-related information stored in device memory.
Skygofree also includes the ability to automatically record conversations and noise when an affected device enters a location specified by the person operating the malware. Another never-before-seen feature is the ability to steal WhatsApp messages by abusing the Android Accessibility Service that's designed to help users who have disabilities or who may temporarily be unable to fully interact with a device. A third new feature: the ability to connect infected devices to Wi-Fi networks controlled by attackers.
Skygofree also includes other advanced features, including a reverse shell that gives malware operators better remote control of infected devices. The malware also comes with a variety of Windows components that provide among other things a reverse shell, a keylogger, and a mechanism for recording Skype conversations.