New Variant of SpyNote Malware Gains Popularity among Hackers after Source Code Leak

New variant of SpyNote malware
Written by William Reddy

According to ThreatFabric experts, hackers are increasingly using the new SpyNote (aka SpyMax) malware to covertly monitor users and manipulate infected Android smartphones. Researchers attribute the rise in popularity of the malware to the leak of its source code, which occurred back in October last year.

The company’s report says that lately, the version of SpyNote named CypherRat, has been most often found on infected devices. This malware combined all of SpyNote’s spying capabilities, including remote access, GPS tracking, device status and activity updates, with the functionality of banking trojans.

Let me remind you that we also reported that Iranian RatMilad Spyware Attacks Android Users, and also that Spyware Predator Uses Five 0-day Vulnerabilities to Attack Android Users.

And also the media said that Spyware Developers Ready to hack iOS and Android for 8 million euros.

Experts say that for the past few years, CypherRat has been sold on Telegram, and between August 2021 and October 2022, at least 80 people managed to purchase the malware. However, in October 2022, the malware code appeared in the public domain (on GitHub). This happened after a source leak, which was preceded by several cases of fraud on hacker forums: scammers pretended to be the real developers of CypherRat in order to steal money from other criminals.

After this leak, the number of attacks using SpyNote has increased dramatically, and this is especially true of attacks on online banking applications. For example, custom versions of malware have been found targeting large banks, including HSBC and Deutsche Bank.

New variant of SpyNote malware

In parallel, some hackers began to disguise their own versions of CypherRat as Google Play, WhatsApp, and so on, apparently targeting a wider audience.

New variant of SpyNote malware

Meanwhile, the real developers of the malware turned their attention to a new project – the CraxsRat spyware, which has similar capabilities to CypherRat.

Experts say all currently active variants of SpyNote seek to access the Accessibility Service to allow themselves to install new apps, intercept SMS messages (to bypass 2FA), listen in on calls, and record video and audio on the device. Among the most interesting features of the malware, ThreatFabric highlights the following:

  1. using the Camera API to record and send video from the device to the management server;
  2. collection of GPS and network location data;
  3. theft of Facebook* and Google credentials;
  4. using Accessibility Service (A11y) to retrieve codes from Google Authenticator;
  5. using a keylogger based on the Accessibility Service to steal banking credentials.

It is also noted that in order to hide malicious code from checks, the latest versions of SpyNote use obfuscation and paid packers for APK. Moreover, all information passed from SpyNote to the C&C server is obfuscated with base64 to hide the host.

New variant of SpyNote malware

Although CypherRat is now mainly used by hackers as a banking Trojan, researchers believe that the malware can also be used as spyware as part of targeted spying campaigns. ThreatFabric believes that SpyNote will continue to pose a threat to Android users, and in 2023 we should expect the appearance of new “forks” of malware.

About the author

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.

Leave a Comment