Since at least October 2022, financial institutions have been targeted by a new version of Android malware called SpyNote, which combines spyware and banking trojan characteristics.
"The reason behind this increase is that the developer of the spyware, who was previously selling it to other actors, made the source code public," ThreatFabric said in a report shared with The Hacker News. "This has helped other actors [in] developing and distributing the spyware, often also targeting banking institutions."
Deutsche Bank, HSBC U.K., Kotak Mahindra Bank, and Nubank are among the notable institutions impersonated by the malware.
SpyNote (aka SpyMax) is feature-rich and comes with a slew of capabilities, including the ability to instal arbitrary apps, collect SMS messages, calls, videos, and audio recordings, track GPS locations, and even thwart attempts to uninstall the app.
It also mimics the behaviour of other banking malware by requesting access to services to extract two-factor authentication (2FA) codes from Google Authenticator and record keystrokes to steal banking credentials.
SpyNote also includes features for stealing Facebook and Gmail passwords and capturing screen content via Android's MediaProjection API.
According to the Dutch security firm, the most recent SpyNote variant (dubbed SpyNote.C) is the first to target banking apps as well as other well-known apps such as Facebook and WhatsApp.
It's also known to pose as the official Google Play Store service and other generic applications ranging from wallpapers to productivity and gaming. The following is a list of some of the SpyNote artefacts, which are mostly delivered via smishing attacks:
- Bank of America Confirmation (yps.eton.application)
- BurlaNubank (com.appser.verapp)
- Conversations_ (com.appser.verapp )
- Current Activity (com.willme.topactivity)
- Deutsche Bank Mobile (com.reporting.efficiency)
- HSBC UK Mobile Banking (com.employ.mb)
- Kotak Bank (splash.app.main)
- Virtual SimCard (cobi0jbpm.apvy8vjjvpser.verapchvvhbjbjq)
SpyNote.C is approximated to have been bought by 87 different customers between August 2021 and October 2022 after its developer advertised it through a Telegram channel under the name CypherRat.
Nevertheless, the open-source availability of CypherRat in October 2022 has resulted in a significant rise in the number of samples detected in the wild, implying that several criminal groups are using the malware in their own campaigns.
ThreatFabric also stated that the original author has since begun work on a new spyware project codenamed CraxsRat, which will be available as a paid application with similar features.
"This development is not as common within the Android spyware ecosystem, but is extremely dangerous and shows the potential start of a new trend, which will see a gradual disappearance of the distinction between spyware and banking malware, due to the power that the abuse of accessibility services gives to criminals," the company said.
The revelations resulted after a group of researchers demonstrated EarSpy, a unique attack against Android devices that allows access to audio conversations, indoor locations, and touchscreen inputs by using the smartphones' built-in motion sensors and ear speakers as a side channel.
