Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SpyNote. Show all posts

SpyNote Strikes: Android Spyware Targets Financial Establishments

 

Since at least October 2022, financial institutions have been targeted by a new version of Android malware called SpyNote, which combines spyware and banking trojan characteristics. 

"The reason behind this increase is that the developer of the spyware, who was previously selling it to other actors, made the source code public," ThreatFabric said in a report shared with The Hacker News. "This has helped other actors [in] developing and distributing the spyware, often also targeting banking institutions."

Deutsche Bank, HSBC U.K., Kotak Mahindra Bank, and Nubank are among the notable institutions impersonated by the malware. SpyNote (aka SpyMax) is feature-rich and comes with a slew of capabilities, including the ability to instal arbitrary apps, collect SMS messages, calls, videos, and audio recordings, track GPS locations, and even thwart attempts to uninstall the app. 

It also mimics the behaviour of other banking malware by requesting access to services to extract two-factor authentication (2FA) codes from Google Authenticator and record keystrokes to steal banking credentials.

SpyNote also includes features for stealing Facebook and Gmail passwords and capturing screen content via Android's MediaProjection API.

According to the Dutch security firm, the most recent SpyNote variant (dubbed SpyNote.C) is the first to target banking apps as well as other well-known apps such as Facebook and WhatsApp.

It's also known to pose as the official Google Play Store service and other generic applications ranging from wallpapers to productivity and gaming. The following is a list of some of the SpyNote artefacts, which are mostly delivered via smishing attacks:
  • Bank of America Confirmation (yps.eton.application)
  • BurlaNubank (com.appser.verapp)
  • Conversations_ (com.appser.verapp )
  • Current Activity (com.willme.topactivity)
  • Deutsche Bank Mobile (com.reporting.efficiency)
  • HSBC UK Mobile Banking (com.employ.mb)
  • Kotak Bank (splash.app.main)
  • Virtual SimCard (cobi0jbpm.apvy8vjjvpser.verapchvvhbjbjq)
SpyNote.C is approximated to have been bought by 87 different customers between August 2021 and October 2022 after its developer advertised it through a Telegram channel under the name CypherRat.

Nevertheless, the open-source availability of CypherRat in October 2022 has resulted in a significant rise in the number of samples detected in the wild, implying that several criminal groups are using the malware in their own campaigns.

ThreatFabric also stated that the original author has since begun work on a new spyware project codenamed CraxsRat, which will be available as a paid application with similar features.

"This development is not as common within the Android spyware ecosystem, but is extremely dangerous and shows the potential start of a new trend, which will see a gradual disappearance of the distinction between spyware and banking malware, due to the power that the abuse of accessibility services gives to criminals," the company said.

The revelations resulted after a group of researchers demonstrated EarSpy, a unique attack against Android devices that allows access to audio conversations, indoor locations, and touchscreen inputs by using the smartphones' built-in motion sensors and ear speakers as a side channel.

Experts Find Kurdish Espionage Campaign Active on Facebook

 

Experts at ESET have probed a targeted espionage mobile campaign towards the Kurdish ethnic group, the campaign is in action since March 2020, disseminating (through dedicated FB accounts) two android backdoors named as SpyNote and 888 RAT, appearing to be genuine apps. The profiles were found presenting android news in Kurdish and news for pro Kurds. Few profiles intentionally sent additional monitoring apps to FB groups (public) with content in Kurd's support. Data downloaded from a website hints that around 1,481 URL downloads were promoted through FB posts.

Live Security said "we identified 28 unique posts as part of this BladeHawk campaign. Each of these posts contained fake app descriptions and links to download an app, and we were able to download 17 unique APKs from these links."The latest Android 888 Rat was used by the BladeHawk and Kasablanka groups. Both the groups used false names to call out the same Android Rat- Gaza007 and LodaRat respectively. 

The espionage campaign in this article is directly linked to two cases (publicly disclosed) that surfaced in 2020. QiAnXin Threat Intelligence center identified the hacking group behind the BladeHawk campaign, which it has adopted. 

The 2 campaigns were spread through FB, via malware with built-in commercials, samples using the same C&C servers, and automated tools (SpyNote and 888 Rat). Experts found six FB profiles linked to the BladeHawk attack, distributing Android espionage. These were reported to FB and eventually taken down. 

Two FB profiles targeted tech users and the other four disguised as Pro Kurds. The profiles were made in 2020 and soon after, started distributing the fake apps. Except for one account, none of the other profiles have posted any content except Android Rat posing to be genuine applications.

"These profiles are also responsible for sharing espionage apps to Facebook public groups, most of which were supporters of Masoud Barzani, former President of the Kurdistan Region; an example can be seen in Figure 1. Altogether, the targeted groups have over 11,000 followers," reports Live Security.