The sub-techniques beta is now live! Read the release blog post for more info.


Skygofree is Android spyware that is believed to have been developed in 2014 and used through at least 2017. [1]

ID: S0327
Platforms: Android
Version: 1.2
Created: 17 October 2018
Last Modified: 15 October 2019

Techniques Used

Domain ID Name Use
Mobile T1409 Access Stored Application Data

Skygofree has a capability to obtain files from other installed applications.[1]

Mobile T1438 Alternate Network Mediums

Skygofree can be controlled via binary SMS.[1]

Mobile T1429 Capture Audio

Skygofree can record audio via the microphone when an infected device is in a specified location.[1]

Mobile T1512 Capture Camera

Skygofree can record video or capture photos when an infected device is in a specified location.[1]

Mobile T1407 Download New Code at Runtime

Skygofree can download executable code from the C2 server after the implant starts or after a specific command.[1]

Mobile T1404 Exploit OS Vulnerability

Skygofree has the capability to exploit several known vulnerabilities and escalate privileges.[1]

Mobile T1430 Location Tracking

Skygofree can track the device's location.[1]

Mobile T1437 Standard Application Layer Protocol

Skygofree can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions.[1]