S0327: Skygofree
Analyst context for executives and security teams
Skygofree matters because it represents Android spyware behavior that can turn a mobile device into a surveillance and data-collection point. The ATT&CK relationships show behaviors relevant to executive risk: privilege escalation, runtime code download, collection of stored app data, audio/video capture, location tracking, web-based communications, and possible out-of-band communications. For organizations that allow Android devices to access business communications or sensitive workflows, the decision issue is whether mobile telemetry, device governance, and incident response plans can identify and contain this class of compromise.
Executive priority
Prioritize this as a mobile security and privacy risk where Android devices are used for corporate email, messaging, field operations, executive travel, or regulated data access. Leaders should ask whether mobile device management, app governance, patch/vulnerability processes, and incident response evidence are sufficient to investigate spyware-like behavior. The business value is not in treating Skygofree as a current campaign by default, but in validating whether controls can handle mobile surveillance, sensitive data collection, and communications that may blend into normal web or out-of-band channels.
Technical view
For SOC, detection engineering, and IR teams, validate Android coverage against the related techniques rather than relying on the malware name alone. Key behaviors to test for include exploitation-driven privilege escalation, post-install runtime code retrieval, attempts to access stored application data, microphone/camera/location permission use, HTTP/HTTPS-like command traffic, and SMS/NFC/Bluetooth or other out-of-band communications where observable. Because ATT&CK provides no official detection text for this object and no tactics are specified, detection should be behavior-led and grounded in local mobile telemetry, application inventory, permission baselines, network logs, and device management data.
Likely telemetry
- Android device inventory and OS/app version posture
- Mobile device management or enterprise mobility management records
- Application installation source, package metadata, and manifest permissions
- Runtime permission grants for microphone, camera, location, storage, SMS, Bluetooth, NFC, or notification access where available
- Mobile security or endpoint telemetry showing privilege escalation indicators, rooting status, or abnormal app behavior
Detection direction
- Build detections around the related ATT&CK behaviors, not just static malware identifiers.
- Baseline Android app permissions and alert on uncommon combinations such as location plus microphone/camera plus storage or messaging-related access, with tuning for legitimate enterprise apps.
- Validate whether tools can observe code downloaded after installation; static app scanning alone may miss runtime behavior described by T1407.
- Correlate privilege-escalation or rooting indicators with attempts to access protected application data.
- Review mobile network telemetry for suspicious web-protocol command-and-control patterns, while accounting for high false-positive rates in normal HTTPS mobile app traffic.
Mitigation priorities
- Maintain Android OS and application patching to reduce exposure to privilege-escalation vulnerabilities.
- Use managed app enrollment and restrict untrusted application sources where business policy allows.
- Apply least-privilege mobile permission governance, especially for microphone, camera, location, storage, SMS, Bluetooth, NFC, and notification access.
- Require mobile device management or equivalent controls for devices accessing sensitive business services.
- Separate sensitive business data into managed applications or containers where supported to reduce exposure from other apps.
Analyst notes and limits
The supplied ATT&CK object identifies Skygofree as Android spyware believed to have been developed in 2014 and used through at least 2017, with Kaspersky reporting as the cited external source. The most useful defensive context comes from the related ATT&CK techniques, which describe surveillance, data access, privilege escalation, runtime code download, and communications behaviors. This take intentionally avoids claims about current activity, attribution, or guaranteed detection coverage.
ATT&CK provides no official detection text, no aliases, no labels, and no specified tactics for this object in the supplied fields. Local conclusions require organization-specific Android fleet data, app inventories, mobile telemetry, legal/privacy constraints, and network visibility. Some behaviors, especially encrypted web traffic and out-of-band communications, may be difficult to confirm without specialized mobile security or forensic data.
Skygofree
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1429 | Audio Capture | Skygofree can record audio via the microphone when an infected device is in a specified location.CitationKaspersky-Skygofree |
| Mobile | T1430 | Location Tracking | Skygofree can track the device's location.CitationKaspersky-Skygofree |
| Mobile | T1512 | Video Capture | Skygofree can record video or capture photos when an infected device is in a specified location.CitationKaspersky-Skygofree |
| Mobile | T1407 | Download New Code at Runtime | Skygofree can download executable code from the C2 server after the implant starts or after a specific command.CitationKaspersky-Skygofree |
| Mobile | T1644 | Out of Band Data | Skygofree can be controlled via binary SMS.CitationKaspersky-Skygofree |
| Mobile | T1409 | Stored Application Data | Skygofree has a capability to obtain files from other installed applications.CitationKaspersky-Skygofree |
| Mobile | T1404 | Exploitation for Privilege Escalation | Skygofree has the capability to exploit several known vulnerabilities and escalate privileges.CitationKaspersky-Skygofree |
| Mobile | T1437.001 | Web Protocols Sub-technique | Skygofree can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions.CitationKaspersky-Skygofree |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 0f6d21aabec1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky-Skygofree
Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.
Open source URL -
[2]
Skygofree
(Citation: Kaspersky-Skygofree)
-
[3]
mitre-attack S0327Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.