A “unique and powerful” variant of Android malware, known as the SpyNote family (aka SpyMax) is being used in campaigns to attack mobile banking applications and social media, leveraging its capabilities to monitor, manage and modify a device’s resources and features.
Remote Trojan Access (RAT) Identified
As detailed by cybersecurity provider ThreatFabric, the variant, which has been active since 2021, also possesses remote access trojan capabilities (RAT). It has previously been used solely as spyware to steal victims' credentials for financial gain.
The SpyNote family has evolved to several distinct variants, the most recent of which, dubbed SpyNote.C, comprises the most threat samples ThreatFabric has seen in the last quarter of 2022. The version has been “openly” directed at banking applications.
It has impersonated financial institutions like HSBC, Deutsche Bank, Kotak Bank, BurlaNubank, and others and applications like WhatsApp, Facebook, and Google Play. The attackers have also masqueraded the malware as wallpaper, productivity and gaming applications. The fake applications typically infect a user’s mobile device through a phishing ruse in which a user mistakenly downloads what appears to be a legitimate application.
ThreatFabric’s researchers said that some of the SpyNote.C apps are being developed by lone actors and promulgated as CypherRat. Some of those actors are using their modified versions of CypherRat to target a larger audience through social media apps.
CyberRat is being offered for sale through the Telegram channel, ThreatFabric wrote in a blog post. It uses the Sellix payment system and cryptocurrencies to prevent tracking.
Some 80 customers bought CyberRat from August 2021 until October 2022, ThreatFabric said. The authors then decided to post the source code on GitHub after a “few scamming incidents in hacking forums where actors would impersonate the original threat actor to steal money from other criminals.”
In its investigation, ThreatFabric discovered that the original creator had launched a new spyware project called CraxsRat, offered as a paid application with similar capabilities as the initial malware.
A Closer Look at SpyNote
Here is a list of some of the SpyNote’s features:
- Ability to use the Camera API to record and send videos from the device’s camera to the command-and-control center.
GPS and network location tracking information
- Stealing social media credentials (Facebook and Google)
- Uses Accessibility (A11y) to extract codes from Google Authenticator
- Uses Keylogging powered by Accessibility services, to steal banking credentials
SpyNote uses Accessibility Services to make it difficult for users to uninstall the application, install new versions, and install other apps, ThreatFabric wrote. Access to accessibility services enables SpyNote to install and update the malware without user input.
The malware can also access a device’s camera and send videos to its command-and-control center. ThreatFabric described this capability as one of its “most dangerous” because it can be used to extract a user’s personally identifiable information from the infected device. In addition, the attacker can spy on the user’s movements through control over the camera.
As ThreatFabric wrote:
“We predict that SpyNote will keep using Accessibility Service to collect essential data from users’ devices and that it will be able to develop towards a successful distribution. We also believe that the trend will continue adopting better security measures like obfuscation and packers to help safeguard the program itself. It is very likely that different forks of SpyNote will continue appearing, following the release of its source code.”