Researchers revealed that SpyNote malware infections have dramatically increased in the last quarter of 2022. The surge of this strain was attributed to the latest source code leak of the malware called SpyNote[.]C.
According to investigations, the SpyNote malware has three variants called SpyNote[.]A, SpyNote[.]B, and SpyNote[.]C. Moreover, its operators spread these malware variants by spoofing generic applications, such as utility tools, wallpaper apps, and games.
The malware authors also developed these strains to trace and follow user activities on Android devices and provide remote access privileges to its operators. In addition, the SpyNote[.]C is the first variant of SpyNote that claimed attacks on banking applications.
SpyNote impersonated numerous financial companies like HSBC and Deutsche Bank. This variant has also mimicked popular applications such as Google Play, WhatsApp, and Facebook.
The third SpyNote malware variant has been on a rampage since October last year.
Analysts claimed that the third SpyNote malware variant was further improved by its authors and sold to different hackers on private Telegram channels. In October 2022, the source code of SpyNote[.]C was leaked on GitHub, paving the way for numerous attackers to execute their campaigns using the malware.
Hence, the researchers recorded a significant amount of sample count that circulated in the wild in the last quarter of 2022.
Cybersecurity experts explained that all SpyNote variants depend on requesting access to Android’s Accessibility Service to be allowed to install new applications, eavesdrop on phone calls, intercept messages, record audio, and capture video.
Some functionalities include using Camera API to send or record videos to the command-and-control server, track GPS network location, and harvest Facebook and Google account credentials.
However, the latest versions use string obfuscations and commercial packers for wrapping APKs to hide their malicious code. Finally, the details collected by the malware are sent by it to its command-and-control server, which is obfuscated with base64.
Cybersecurity experts expect that multiple other variants of this SpyNote family will emerge with more functions in the next few months. Users should be cautious in installing new applications and ensure their authenticity.
