The Android malware family tracked as SpyNote (or SpyMax) has had a sudden increase in detections in the final quarter of 2022, which is attributed to a source code leak of one of its latest, known as ‘CypherRat.’
‘CypherRat’ combined SpyNote’s spying capabilities, such as offering remote access, GPS tracking, and device status and activity updates, with banking trojan features that impersonate banking institutions to steal account credentials.
CypherRat was sold via private Telegram channels from August 2021 until October 2022, when its author decided to publish its source code on GitHub, following a string of scamming incidents on hacking forums that impersonated the project.
Threat actors quickly snatched the malware’s source code and launched their own campaigns. Almost immediately, custom variants appeared that targeted reputable banks like HSBC and Deutsche Bank.
In parallel, other actors opted to masquerade their versions of CypherRat as Google Play, WhatsApp, and Facebook, targeting a wider audience.
This activity was observed by ThreatFabric analysts, who warn about the possibility of CypherRat becoming an even more widespread threat.
SpyNote malware features
All SpyNote variants in circulation rely on requesting access to Android’s Accessibility Service to be allowed to install new apps, intercept SMS messages (for 2FA bypass), snoop on calls, and record video and audio on the device.
ThreatFabric lists the following as “standout” features:
- Use the Camera API to record and send videos from the device to the C2 server
- GPS and network location tracking information
- Stealing Facebook and Google account credentials.
- Use Accessibility (A11y) to extract codes from Google Authenticator.
- Use keylogging powered by Accessibility services to steal banking credentials.
To hide its malicious code from scrutiny, the latest versions of SpyNote employ string obfuscation and use commercial packers to wrap the APKs.
Moreover, all information exfiltrated from SpyNote to its C2 server is obfuscated using base64 to hide the host.
Threat actors currently use CypherRat as a banking trojan, but the malware could also be used as spyware in low-volume targeted espionage operations.
ThreatFabric believes that SpyNote will continue to constitute a risk for Android users and estimates that various forks of the malware will appear as we head deeper into 2023.
While ThreatFabric has not shared how these malicious apps are being distributed, they are likely spread through phishing sites, third-party Android app sites, and social media.
For this reason, users are advised to be very cautious during the installation of new apps, especially if those come from outside Google Play, and reject requests to grant permissions to access the Accessibility Service.
Unfortunately, despite Google’s continual efforts to stop the abuse of Accessibility Service APIs by Android malware, there are still ways to bypass the imposed restrictions.