An Android malware family, SpyNote (aka SpyMax), was used heavily in attacks in Q4 2022, revealed researchers. This sharp increase has been linked to a recent source code leak of the latest variant of the malware, known as CypherRat or SpyNote.C.

Variants of SpyNote

ThreatFabric researchers have identified several SpyNote variants: SpyNote.A, SpyNote.B, and SpyNote.C.
  • The attackers spread these malware by masquerading as generic applications, such as games, productivity apps, and wallpaper apps to promote the malware.
  • The malware of this family are designed to trace and track user activities on Android devices, as well as grant remote access capabilities to the attacker.
  • Moreover, SpyNote.C is the first variant that openly targets banking applications as well. 
It impersonates a large number of financial firms including Deutsche Bank and HSBC and well-known apps such as Facebook, Google Play, and WhatsApp.

Source code leak incident

Between August 2021 to October 2022, SpyNote.C malware was further developed by its developer and was being sold to individual attackers on private Telegram channels, under the branding of CypherRat.
  • In October 2022, the source code of CypherRat was leaked on GitHub. Soon after, many scamming incidents were observed on hacking forums impersonating the project.
  • After the leak, several attackers took advantage of the malware's source code and launched their own campaigns, resulting in significate increase in the sample count seen in the wild.

Malware features

All SpyNote variants rely on requesting access to Android's Accessibility Service to be allowed to install new apps, snoop on calls, intercept SMS messages (2FA bypass), and record audio and video.
  • Some of the features include the use of Camera API to record and send videos to the C2 server, track GPS network location, and steal Facebook/Google account credentials.
  • To hide malicious code, the latest versions use string obfuscation and commercial packers to wrap APKs. 
  • Further, all the information is sent to the C2 server, which is obfuscated with base64.

Conclusion

Experts estimate that numerous additional variants of this threat may appear with more features in the coming months. Therefore, Android users are suggested to be very alert during the installation of new apps.
Cyware Publisher

Publisher

Cyware