An Android banking trojan called ”SpyNote” is targeting European customers of various banks as part of an extensive campaign observed in June and July 2023, the Cleafy Threat Intelligence Team warns.
While SpyNote is spyware, it is also capable of performing bank fraud due to its diverse functions.
The malware is distributed via email phishing or smishing campaigns and the fraudulent activities are executed with a combination of remote access trojan (RAT) capabilities and vhishing attack.
The infection chain starts with a fake SMS message asking users to install a “new certified banking app,” followed by a second message redirecting the user to a seemingly legitimate technical remote support app TeamViewer. In reality, this is the fake app used by a threat actor to gain remote access to the victim’s device.
Like other Android banking trojans, SpyNote abuses the Accessibility services granted by the victim during the installation of the app. The malware uses the Accessibility services to accept other permissions popups automatically and carry out keylogging activities.
SpyNote can also intercept SMS messages, including two-factor authentication (2FA) codes, and transmit them to the attackers’ command-and-control (C2) server. It can also gain access to the temporary codes generated by the Google Authenticator app, exploiting the Accessibility services.
SpyNote utilizes different techniques to evade detection, such as the obfuscation of all class names, the use of junk code to slow down the static analysis of the code, and anti-emulator controls to prevent it from being launched and analyzed within an emulator or sandbox by security analysts. It is also capable of downloading additional files from the C2 server.