The SpyNote Android malware family has seen a surge in infections that have been attributed to a source code leak of CypherRat. CypherRat is a Remote Administration Tool (RAT) that combines SpyNote’s spying capabilities, such as remote access, GPS tracking, device status, and activity updates, with banking trojan features that impersonate banking institutions with the goal of stealing credentials. CypherRat was sold via Telegram between August 2021 and October 2022, when the author published its source code to GitHub following a string of scamming incidents that impersonated the project. Following the release of the source code, threat actors quickly began to launch their own campaigns, targeting banks like HSBC and Deutsche Bank, as well as masquerading their versions of the RAT as applications such as Google Play and WhatsApp, among many more.
All the SpyNote variants that stem from this leak rely on requesting access to Android’s Accessibility Service, which allows the actor to install new apps, intercept SMS messages, listen to calls, and record video/audio on the device. Researchers at ThreatFabric list the following as the main features of these variants of SpyNote:
- Uses the camara API to record/send videos to the C2 server
- GPS/Network Location tracking information
- Facebook/Google credential harvester
- Uses Accessibility feature to extract code from Google Authenticator
- Uses Accessibility feature to run a keylogger to steal banking credentials
The latest versions of SpyNote also employ string obfuscations and use commercial packers to wrap the APKs. All information exfiltrated are encoded using base64.
The researchers asses that this malware family will continue to be a risk for Android users and new variants will appear in the coming year. No official statement has been released as to how these new variants are spreading.