The SpyNote Android malware family has seen a surge in infections that have been attributed to a source code leak of CypherRat. CypherRat is a Remote Administration Tool (RAT) that combines SpyNote’s spying capabilities, such as remote access, GPS tracking, device status, and activity updates, with banking trojan features that impersonate banking institutions with the goal of stealing credentials. CypherRat was sold via Telegram between August 2021 and October 2022, when the author published its source code to GitHub following a string of scamming incidents that impersonated the project. Following the release of the source code, threat actors quickly began to launch their own campaigns, targeting banks like HSBC and Deutsche Bank, as well as masquerading their versions of the RAT as applications such as Google Play and WhatsApp, among many more.
All the SpyNote variants that stem from this leak rely on requesting access to Android’s Accessibility Service, which allows the actor to install new apps, intercept SMS messages, listen to calls, and record video/audio on the device. Researchers at ThreatFabric list the following as the main features of these variants of SpyNote:
- Uses the camara API to record/send videos to the C2 server
- GPS/Network Location tracking information
- Facebook/Google credential harvester
- Uses Accessibility feature to extract code from Google Authenticator
- Uses Accessibility feature to run a keylogger to steal banking credentials
The latest versions of SpyNote also employ string obfuscations and use commercial packers to wrap the APKs. All information exfiltrated are encoded using base64.
The researchers asses that this malware family will continue to be a risk for Android users and new variants will appear in the coming year. No official statement has been released as to how these new variants are spreading.
While no official statement has been released as to how the malware variants are spreading, it can be assumed that these are likely spreading through phishing campaigns and malicious websites. From an enterprise level, the best course of action to take to prevent against this malware would be to educate end users on the best practices to take when browsing the internet, to verify application legitimacy, and to read application reviews prior to installation. Applications should also only be downloaded from trusted app stores. Additionally, it would be advised to follow best practices when forming a BYOD policy, ensuring that end users are connecting to guest wifi or another segmented network that can be monitored. Additionally, as this malware provides means to bypass MFA, organizations should implement a defense in depth strategy. It is recommended to monitor for suspicious logins and MFA attempts, such as monitoring logins from another country.