Financial institutions are being targeted by a new version of Android malware called SpyNote at least since October 2022 that combines both spyware and banking trojan characteristics.
"The reason behind this increase is that the developer of the spyware, who was previously selling it to other actors, made the source code public," ThreatFabric said in a report shared with The Hacker News. "This has helped other actors [in] developing and distributing the spyware, often also targeting banking institutions."
Some of the notable institutions that are impersonated by the malware include Deutsche Bank, HSBC U.K., Kotak Mahindra Bank, and Nubank.
SpyNote (aka SpyMax) is feature-rich and comes with a plethora of capabilities that allows it to install arbitrary; gather SMS messages, calls, videos, and audio recordings; track GPS locations; and even hinder efforts to uninstall the app.
It also follows the modus operandi of other banking malware by requesting for permissions to accessibility services to extract two-factor authentication (2FA) codes from Google Authenticator and record keystrokes to siphon banking credentials.
In addition, SpyNote packs in functionalities to plunder Facebook and Gmail passwords as well as capture screen content by leveraging Android's MediaProjection API.
The Dutch security firm said that the most recent iteration of SpyNote (called SpyNote.C) is the first variant to strike banking apps as well as other well-known apps like Facebook and WhatsApp.
It's also known to masquerade as the official Google Play Store service and other generic applications spanning wallpapers, productivity, and gaming categories. A list of some of the SpyNote artifacts, which are mainly delivered through smishing attacks, is as follows -
- Bank of America Confirmation (yps.eton.application)
- BurlaNubank (com.appser.verapp)
- Conversations_ (com.appser.verapp )
- Current Activity (com.willme.topactivity)
- Deutsche Bank Mobile (com.reporting.efficiency)
- HSBC UK Mobile Banking (com.employ.mb)
- Kotak Bank (splash.app.main)
- Virtual SimCard (cobi0jbpm.apvy8vjjvpser.verapchvvhbjbjq)
SpyNote.C is estimated to have been purchased by 87 different customers between August 2021 and October 2022 after it was advertised by its developer under the name CypherRat through a Telegram channel.
However, the open source availability of CypherRat in October 2022 has led to a dramatic increase in the number of samples detected in the wild, suggesting that several criminal groups are co-opting the malware in their own campaigns.
ThreatFabric further noted that the original author has since started work on a new spyware project codenamed CraxsRat, which is set to be offered as a paid application with similar features.
"This development is not as common within the Android spyware ecosystem, but is extremely dangerous and shows the potential start of a new trend, which will see a gradual disappearance of the distinction between spyware and banking malware, due to the power that the abuse of accessibility services gives to criminals," the company said.
Users are advised to refrain from downloading apps from untrusted sources, scrutinize reviews before installing any app, and grant only those permissions that are relevant for the app's purpose.
"Google Play Protect checks Android devices with Google Play Services for potentially harmful apps from other sources," a Google spokesperson told The Hacker News. "Users are protected by Google Play Protect, which can warn users or block identified malicious apps on Android devices."
The findings come as a group of researchers demonstrated a novel attack against Android devices dubbed EarSpy, which provides access to audio conversations, indoor locations, and touchscreen inputs by leveraging the smartphones' built-in motion sensors and ear speaker as a side-channel.