In late 2022, security researchers have discovered a spike in volume of SpyNote malware samples used to steal account credentials.
As revealed in a ThreatFabric report, SpyNote malware is a “unique and effective Spyware designed to secretly observe user activity on an Android device.”
SpyNote, also part of the SpyMax family, can also “monitor, manage, and modify the device’s resources and features along with Remote access capabilities.”
Moreover, ThreatFabric researchers spotted the attackers using malicious apps disguised as legitimate wallpaper apps, productivity apps, or gaming apps.
One of the variants SpyNote.C can be also used to “track SMS messages, calls, videos, and audio recordings in addition to updating its version and even installing new applications.”
The report also mentions newer variants are “extremely powerful” and includes security features, such as string obfuscation to commercial packers.
“This makes it much more difficult to analyze, making it a potent tool for threat actors,” ThreatFabric added.
ThreatFabric observed the following features of SpyNote:
- Ability to use the Camera API to record and send videos from the device’s camera to the Command and Control (C&C) center.
- GPS and network location tracking information.
- Stealing social media credentials (Facebook and Google).
- Uses Accessibility (A11y) to extract codes from Google Authenticator.
- Uses Keylogging powered by Accessibility services, to steal banking credentials.
To add, the report describes in more detail how SpyNote leverages each of these services to gain complete control of device camera or gain access to an account without the user’s knowledge, for example.
In conclusion, ThreatFabric predicts SpyNote will continue using the Accessibility Service to exfiltrate sensitive data from victim’s devices. Attackers will likely also continue adding security features like obfuscation and packers that will help hide and safeguard the malicious program.
- The Guardian closes offices after ransomware attack last month
- Raspberry Robin malware uses Tor network to deliver payloads to Telecom and Government targets
- MCCrash botnet launches DDoS attacks against Minecraft servers
- Agenda Ransomware gang uses Rust to target more companies worldwide
- Zerobot botnet exploits 21 vulnerabilities to breach targets
- Cuba ransomware attacks on the rise with new exploits