Source code leak increases malware infections for SpyNote Android

There has been a sudden increase in detections of the Android malware family known as SpyNote (or SpyMax) in the final quarter of 2022, probably due to a source code leak of one of its most recent variants, called CypherRat.

With CypherRat, you can spy remotely, track GPS coordinates, check device status and activity through SpyNote, and steal account credentials by impersonating a banking institution.

From August 2021 until October 2022, CypherRat was sold via private Telegram channels. That’s when its author decided to print its source code on GitHub, following a string of extortion incidents on hacking forums that imitated the project.

In response, threat actors quickly seized the malware’s source code and launched their campaigns. Several actors disguised CypherRat as popular social media platforms such as Facebook, Google Play, and WhatsApp.

According to ThreatFabric analysts, CypherRat may become even more widespread due to this activity.

Features of Spyware Malware

For all SpyNote variants, installation of new apps, intercepting SMS messages (for two-factor authentication bypass), listening to calls, and recording video and audio all require access to the Android Accessibility Service.

The following are the Standout features of SpyNote:

  • Information about GPS and network location tracking
  • Use the camera API to record and send videos from the device to the C2 server.
  • Abstracting the credentials of Google and Facebook.
  • Use Accessibility (A11y) to extract codes from Google Authenticator.
  • Use keylogging energized by accessibility services to steal banking credentials.

Therefore, to conceal its malicious code, the latest versions of SpyNote engage string bewilderment and use commercial packers to sheathe the APKs. 

In addition, all the details eliminated from SpyNote to its C2 server are bewildered using base 64 to conceal the host. The malware can also be used as spyware in low-volume selected espionage operations, as currently, Threat actors are using CypherRat as a banking Trojan.

It is predicted that various variants of SpyNote will appear as we move further into 2023. ThreatFabric believes the malware will continue to pose a threat to Android users. According to ThreatFabric, these malicious apps are likely spread through phishing sites, third-party Android app stores, and social media. 

Due to this, users are advised to be very cautious when installing new apps, especially if they come from outside Google Play, and reject permission requests for access to accessibility services.

Get a vigorous approach with ESOF AppSec.

Despite Google’s constant efforts to prevent Android malware from abusing Accessibility Service APIs, there are still ways around the restrictions. TAC Security’s ESOF AppSec detects the analytical vulnerabilities and vulnerable assets across your android and IOS apps. It also scans the web app source code for security and privacy issues. 

Get vulnerability management of your complete IT infrastructure for that check out what ESOF AppSec provides:

  • With ESOF Scanners, tests are executed on Grey Boxes and Black Boxes, giving exact results, and eliminating many false positives.
  • It discovers the most critical vulnerabilities and vulnerable assets across your web and mobile apps.
  • The cyber Risk Score feature will save you time and hours from reading lengthy reports. Therefore, helping you in enhancing your security posture.

Secure your DigitalSpace 

Download ESOF AppSec Datasheet Now!

Related Posts

Data Sheet – ESOF Prediction Solution Brief



Survey Report

The Future of Risk
and Vulnerability Management!

Switch to Next Generation
Vulnerability Management - ESOF

Contact Us

    Download Case Study

    Download Case Study

    Download Case Study

    Download Case Study

    Download Case Study

    Data Sheet – ESOF AppSec

    Data Sheet – ESOF VMP

    Data Sheet – ESOF VMDR