Skip to content

SpyNote malware targets users through fake android apps

  • by
  • 3 min read

Threat actors were found creating fake websites hosted on newly registered domains to distribute SpyNote, a known Android malware. The deceptive websites were disguised as Google Play Store install pages for known apps such as Google Chrome browser, attempting to trick users into installing the malware.

SpyNote, also known as SpyMax, is a potent remote access trojan (RAT) that can collect sensitive data from breached Android devices by exploiting accessibility services. In May 2024, the malware was delivered through another fake website attempting to impersonate the antivirus solution Avast.

DomainTools Investigations (DTI) team cybersecurity researchers uncovered the cyber criminals. “Notably, the threat actor utilized a mix of English and Chinese-language delivery sites and included Chinese-language comments within the delivery site code and the malware itself,” DTI said.

The fake websites identified by DTI use a carousel of images that download a malicious APK file on the victim’s device when clicked. The APK package installs a second embedded payload through the ‘DialogInterface.OnClickListener’ interface,enabling the malware to be executed when an item in a dialog box is clicked or tapped.

This is an image of spynote malware fake website taken from dti
The deceptive websites that impersonate legitimate apps and install SpyNote when clicked. | Source: DTI

When the installation is successful, it immediately requests several intrusive permissions to gain extensive control of the device. DTI said, “This control allows for the theft of sensitive data such as SMS messages, contacts, call logs, location information, and files. SpyNote also boasts significant remote access capabilities, including camera and microphone activation, call manipulation, and arbitrary command execution.”

SpyNote can remotely delete data, lock the device, and install other applications. Its keylogging functionalities target app credentials, and it uses accessibility services to access two-factor authentication codes.

Analysis of the malware campaign revealed common patterns in domain registration, website structure, and widely consistent malware configurations, command and control infrastructure and payload delivery techniques.

SpyNote malware has also been used by state-sponsored threat groups such as OilAlpha and other unknown hackers throughout the years. The malware’s broad range of functions displays its effectiveness in espionage and cybercrime while acting as a significant threat to individuals and organisations targeted by threat campaigns.

In the News: Ex-employee reveals Meta offered US user data to enter China

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

Related Reads

This is an image of meta fb oculus workspace whatsapp messenger instagram

Ex-employee reveals Meta offered US user data to enter China

This is an image of wordpress featured 9924

WordPress plugin with over 100,000 installations under active exploitation

This is an image of microsoft featured 13211

Microsoft 365 Family users denied service due to licensing glitch

  • by
  • In News
This is an image of surveillance security privacy 89892

Pharmacist sued for spying on female cowokers via webcams

This is an image of adobe featured 2824r0

Adobe patches over 30 vulnerabilities in its software suite, 11 critical

This is an image of dark web hacker security

Over 5,000 Ivanti VPN appliances still at risk after patches

>