1. "Never Trust Sprint Again" is editorializing on the part of the submitter, not our stance. It's a very, very crappy thing to put on a phone, but there's no evidence it was placed there maliciously.
2. It was released in the wild on the HTC Hero for some time. We believe it would have been in the wild on the EVO if we hadn't reported it.
3. Sprint was very responsive when we reported this to them. They turned around a patch within a few days that sealed this particular hole.
4. We have no idea where this came from or who was ultimately responsible. That information never made it back to us.
Sprint could have the same functionality built into the kernel and no one would have noticed it. It's actually a good thing it's not running by default. I would snoop around further and see how it's launched; the command list only has the shutdown commands, not the launcher. Without the trigger you really don't have the whole answer.
Whats the risk here? Possibly a debugging helper app left inadvertently?
4 Jun 2010: Sprint OTA update removing skyagent binary.
However, the security vulnerabilities present in skyagent are of less cause for concern than the purpose of the program. It appears that the binary was designed as a backdoor into the phone, allowing remote control of the device without the user's knowledge or permission. When the program is invoked, it listens for connections over TCP (by default, port 12345, on all interfaces, including the 3G network!) that accepts a fixed set of commands. These commands appear to be authenticated only by a fixed “magic number”; the commands are neither encrypted on the way to the device or on the way back. The commands that we have knowledge of at this time include:
sending and monitor user tap and drag input (“PentapHook”),
sending key events (“InputCapture”),
dumping the framebuffer (“captureScreen”),
listing processes (“GetProc”),
rebooting the device immediately,
and executing arbitrary shell commands as root (“LaunchChild”)
It sounds a lot more like a debugging tool than a malevolent program: a backdoor sitting in an obvious folder, with an easy default port and no encryption, that allows to see system status, events, or run commands. Also, "We do not believe that skyagent could ever be invoked remotely".
This happens a lot, and there is nothing malicious about it. Now, if they had spawned this process from init and left it running on all phones leaving the factory, that would be another story.