Recently, there has been a surge in bank fraud cases involving SpyNote spyware, typically targeting European banks via phishing attempts.
Spyware is typically used for data collection and espionage. However, researchers from Cleafy have discovered that a particular spyware, SpyNote, is now being employed to execute bank fraud.
The attack chains in these recent campaigns usually commence with a smashing attack — a fake SMS message that prompts users to install a “new certified banking app”. Subsequently, users receive a follow-up message directing them to the legitimate TeamViewer app, utilised for technical remote support. The attackers exploit social engineering techniques and impersonate bank operators, conducting fraudulent transactions directly on the victim’s device.
The main feature of SpyNote, similar to other Android banking trojans, involves the abuse of Accessibility services. Once installed, the spyware automatically accepts permission popups and performs keylogging activities. SpyNote has various capabilities, such as accessing the device’s camera, microphone, and GPS location.
Keylogger functionality within SpyNote enables it to monitor the list of installed applications, specific app properties, and any text input by the user. All this information is saved in encoded form within a log file. This feature allows the attackers to identify the banking applications the user uses and steal login credentials and credit card information.
Additionally, SpyNote can collect SMS messages the user receives and forward them to the command-and-control (C2) server. Furthermore, it can access temporary codes generated by two-factor authentication (2FA) apps, like Google Authenticator, by exploiting Accessibility services. This capability allows attackers to bypass 2FA and perform unauthorised transactions.
SpyNote and the C2 server communicate via socket communication using specific ports, which change in different samples. The exchanged data is packaged with a custom scheme and compressed using the GZip algorithm, making detection and analysis more challenging.
Moreover, to gather more information, SpyNote utilises the Media Projection APIs to capture the device’s screen content. Defence evasion techniques such as obfuscation of class names, junk code insertion, and anti-emulator controls are employed to thwart analysis efforts by security experts. After installation, the spyware hides its application icon from the device display and prevents users from manually removing it.
This campaign represents a significant escalation in SpyNote’s use for bank fraud. The aggressive social engineering and on-device fraud (ODF) techniques employed by threat actors cause concern. Given the multiple functionalities and robust defence evasion techniques, it is likely that threat actors will continue to leverage SpyNote in their future attacks.
In the News: WikiLoader Ursnif banking trojan threatens organisations in Italy
