Financial institutions have been targeted with a new version of Android malware. spy note At least after October 2022.
“The reason behind this increase is that spyware developers who previously sold spyware to other actors released their source code,” ThreatFabric said in a report shared with The Hacker News. . “This helped other actors [in] It develops and distributes spyware, often targeting banking institutions as well. ”
Prominent institutions impersonated by malware include Deutsche Bank, HSBC UK, Kotak Mahindra Bank, and Nubank.
SpyNote (aka SpyMax) is feature-rich and comes with a number of features that allow you to install any app. Collect SMS messages, calls, videos and voice recordings. Track your GPS location. Moreover, it hinders the task of uninstalling apps.
It also follows other banking malware tricks by requesting permission to access accessibility services, extracting two-factor authentication (2FA) codes from Google Authenticator, and logging keystrokes to siphon banking credentials.
Additionally, SpyNote includes the ability to steal Facebook and Gmail passwords and capture screen content using Android’s MediaProjection API.
The Dutch security firm said the latest version of SpyNote (called SpyNote.C) was the first variant to attack banking apps as well as other well-known apps such as Facebook and WhatsApp.
It has also been known to spoof the official Google Play store service and other popular applications across wallpaper, productivity, and gaming categories. Here is a partial list of SpyNote artifacts that are mostly delivered by smishing attacks:
- Bank of America verification (yps.eton.application)
- Burla Nubank (com.appser.verapp)
- Conversation_ (com.appser.verapp )
- Current Activity (com.willme.topactivity)
- Deutsche Bank Mobile (com.reporting.efficiency)
- HSBC UK Mobile Banking (com.employ.mb)
- Kotak Bank (splash.app.main)
- Virtual SimCard (cobi0jbpm.apvy8vjjvpser.verapchvvhbjbjq)
SpyNote.C is estimated to have been purchased by 87 different customers between August 2021 and October 2022 after being advertised by its developer under the name CypherRat through Telegram channels.
However, the open source availability of CypherRat in October 2022 dramatically increased the number of samples detected in the wild. This suggests that some criminal groups are employing malware in their own campaigns.
Additionally, ThreatFabric noted that the original authors have started working on a new spyware project codenamed CraxsRat. The project will be offered as a paid application with similar functionality.
“This development, while less common within the Android spyware ecosystem, is highly dangerous and signals the potential for a new trend to begin. Accessibility services give to criminals,” the company said.