The Android spyware known as SpyNote has been targeting financial institutions since late 2022 while expanding its capabilities to carry out bank fraud.
Security researchers at Cleafy have recently shared new findings about SpyNote, saying the malware exploits Accessibility services and various Android permissions to conduct multiple malicious activities.
SpyNote distribution occurs through email phishing and smishing campaigns, and its fraudulent activities are executed using a combination of remote access trojan (RAT) capabilities and vishing attacks. During June and July 2023, there has been a noticeable surge in targeted campaigns against multiple European customers of different banks.
Describing the findings in an advisory published earlier today, the Cleafy Threat Intelligence Team said it had been closely monitoring the rising trend of spyware infections, with SpyNote being one of the primary culprits. What makes this malware particularly dangerous is its ability to convincingly impersonate legitimate applications.
The infection chain typically begins with a deceptive SMS message urging users to install a “new certified banking app,” followed by a redirect to a seemingly authentic TeamViewer app, which is used for technical remote support. In reality, this is the initial step to gain remote access to the victim’s device.
SpyNote’s main features involve exploiting Accessibility services to automatically accept other permission popups and carry out keylogging activities. By tracking user activities, the spyware gains access to crucial information like installed applications, specific app properties and text inputs, all of which can be used to steal sensitive banking credentials.
Additionally, SpyNote can intercept SMS messages, including two-factor authentication (2FA) codes, and transmit them to the attackers’ command-and-control (C2) server, bypassing the extra layer of security put in place by financial institutions. The malware can also record screens, providing the attackers with substantial control and information.
To evade detection and analysis, SpyNote employs various defense evasion techniques, such as code obfuscation, anti-emulator controls and the prevention of manual removal by hiding the application icon.
Cleafy concluded its report by saying that the aggressive and extensive nature of the recent SpyNote campaign indicates that threat actors will likely continue to exploit this spyware’s multiple functionalities to perpetrate bank fraud.
“Although this is not the first time that spyware has been used to carry out bank fraud […] this SpyNote campaign is certainly one of the most aggressive in recent times,” reads the report.
“By observing the aggressiveness and extension of this recent SpyNote campaign, we assume that TAs will continue to use this spyware to carry out bank fraud due to the multiple functionalities.”
Financial institutions and users must remain vigilant against phishing and smishing attempts and regularly update their security measures to defend against these evolving threats.