1 August 2023

SpyNote Android malware targets financial institutions


SpyNote Android malware targets financial institutions

An Android banking trojan called ”SpyNote” is targeting European customers of various banks as part of an extensive campaign observed in June and July 2023, the Cleafy Threat Intelligence Team warns.

While SpyNote is spyware, it is also capable of performing bank fraud due to its diverse functions.

The malware is distributed via email phishing or smishing campaigns and the fraudulent activities are executed with a combination of remote access trojan (RAT) capabilities and vhishing attack.

The infection chain starts with a fake SMS message asking users to install a “new certified banking app,” followed by a second message redirecting the user to a seemingly legitimate technical remote support app TeamViewer. In reality, this is the fake app used by a threat actor to gain remote access to the victim’s device.

Like other Android banking trojans, SpyNote abuses the Accessibility services granted by the victim during the installation of the app. The malware uses the Accessibility services to accept other permissions popups automatically and carry out keylogging activities.

SpyNote can also intercept SMS messages, including two-factor authentication (2FA) codes, and transmit them to the attackers’ command-and-control (C2) server. It can also gain access to the temporary codes generated by the Google Authenticator app, exploiting the Accessibility services.

SpyNote utilizes different techniques to evade detection, such as the obfuscation of all class names, the use of junk code to slow down the static analysis of the code, and anti-emulator controls to prevent it from being launched and analyzed within an emulator or sandbox by security analysts. It is also capable of downloading additional files from the C2 server.

Back to the list

Latest Posts

Cyber Security Week in Review: December 20, 2024

Cyber Security Week in Review: December 20, 2024

In brief: A suspected Russian cyberattack hits Ukraine's state registries, new ICS malware targets Mitsubishi and Siemens systems, and more.
20 December 2024
Major phishing campaign abuses HubSpot to steal credentials from European firms

Major phishing campaign abuses HubSpot to steal credentials from European firms

The attackers exploited the service’s legitimate functionality to create convincing phishing pages.
19 December 2024
UAC-0125 malware campaign targeting Ukrainian military personnel

UAC-0125 malware campaign targeting Ukrainian military personnel

Victims are lured to fraudulent websites offering to download a malicious version of the Army+ app.
19 December 2024