Table of Contents
A newly observed Android malware campaign has been observed leveraging deceptive websites hosted on recently registered domains to distribute SpyNote, a powerful remote access Trojan (RAT).
These websites mimic legitimate Google Play Store app pages, aiming to convince users to download infected files under the guise of installing popular applications.
Fake App Pages Push Powerful Android RAT
Researchers discovered that the sites include elements such as image carousels showcasing screenshots of supposed app pages, “Install” buttons, and even remnants of code referencing TikTok’s Android package.
Clicking the mimicked installation button executes JavaScript, which automatically triggers the download of a malicious APK file.
Once installed, the dropper APK executes a hidden function to deploy a second embedded APK. This secondary payload carries the core functionality of SpyNote, which allows it to communicate with command-and-control (C2) servers using hardcoded IP addresses and ports. The C2 parameters are embedded in the malware’s DEX file, supporting both dynamic and hardcoded connections.
Read more on Android malware delivery tactics: ToxicPanda Malware Targets Banking Apps on Android Devices
Versatile Malware with Extensive Capabilities
The SpyNote malware provides threat actors with a wide range of surveillance and control features, including:
- Intercepting SMS, call logs and contacts
- Activating camera and microphone remotely
- Logging keystrokes, including credentials and 2FA codes
- Tracking GPS location
- Recording phone calls
- Downloading and installing additional apps
- Preventing removal by abuse of accessibility services
- Wiping or locking devices remotely
Many of these capabilities are enabled through aggressive permission requests, some of which allow the malware to survive device reboots or hide its presence altogether.
“SpyNote is notorious for its persistence, often requiring a factory reset for complete removal,” explained DomainTools, who discovered the new campaign.
China Nexus Suspected
Evidence within the malware and delivery infrastructure suggests a possible China-based origin, including the presence of Chinese-language code and the use of Chinese-language distribution sites. However, no definitive attribution has been made.
The malware has been linked in the past to espionage campaigns targeting Indian defense personnel and has been associated with advanced persistent threat groups such as OilRig (APT34) and APT-C-37.
Image credit: JarTee / Shutterstock.com
