Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label SpyNote. Show all posts
SpyNote
Android Crypto Fraud malware phishing SpyNote

Fake Antivirus App Hides SpyNote Malware on Android

 


SpyNote, a dangerous malware targeting Android users, has been discovered posing as a legitimate antivirus app. Disguised as "Avast Mobile Security," it deceives users into downloading it under the guise of device protection, according to a report by cybersecurity firm Cyfirma.  


Once installed, SpyNote requests permissions typical for antivirus applications, such as Accessibility Services. With these permissions, it secretly grants itself further access without notifying the user. Additionally, it excludes itself from battery optimization, allowing it to run uninterrupted in the background.  


How SpyNote Tricks Users  


SpyNote employs deceptive tactics to maintain its presence on infected devices. It mimics user gestures to stay active and displays fake system update notifications. When users interact with these alerts, they are redirected back to the malicious app, effectively trapping them in a loop. This method ensures the malware remains undetected and difficult to uninstall.  


Focus on Cryptocurrency Theft  


SpyNote is specifically designed to steal sensitive information, with a strong focus on cryptocurrency accounts. It extracts private keys and balance details for digital currencies such as Bitcoin, Ethereum, and Tether. The malware also monitors network activity to maintain a constant connection with its command-and-control servers, ensuring seamless data transmission.  


Stolen credentials are stored on the device’s SD card. Once sufficient data is collected, SpyNote erases the evidence by overwriting the card, leaving no trace of its malicious activities.  


Advanced Evasion Tactics  


SpyNote is highly skilled at avoiding detection. It uses techniques like code obfuscation and custom packaging to hide its true nature, making it difficult for security experts to analyze. The malware also identifies virtual environments, such as emulators, to evade research and detection.  


If users attempt to uninstall it, SpyNote blocks their efforts by simulating actions that prevent deactivation. For instance, it forces the device to return to the home screen whenever users try to access the app’s settings.  


Distributed Through Fake Antivirus Sites  


SpyNote spreads through phishing websites designed to look like Avast’s official download page. The malicious file, named "Avastavv.apk," is specifically targeted at Android devices. However, the phishing sites also redirect iOS users to the legitimate App Store download page for AnyDesk. Similarly, they offer AnyDesk downloads for Windows and Mac users, broadening their attack range.  


How to Stay Safe  


To avoid falling victim to SpyNote, only download apps from trusted sources like the Google Play Store. Be cautious of apps asking for unnecessary permissions, and verify download links before proceeding. Regularly updating your antivirus software and monitoring your device for unusual activity can also help protect against threats.  


SpyNote highlights the increasing complexity of malware targeting mobile users, emphasizing the importance of vigilance and proactive cybersecurity measures.

Read more »
Spyware
Android Android Apps Apps Banking Malware malware SpyNote Spyware

SpyNote Strikes: Android Spyware Targets Financial Establishments

 

Since at least October 2022, financial institutions have been targeted by a new version of Android malware called SpyNote, which combines spyware and banking trojan characteristics. 

"The reason behind this increase is that the developer of the spyware, who was previously selling it to other actors, made the source code public," ThreatFabric said in a report shared with The Hacker News. "This has helped other actors [in] developing and distributing the spyware, often also targeting banking institutions."

Deutsche Bank, HSBC U.K., Kotak Mahindra Bank, and Nubank are among the notable institutions impersonated by the malware. SpyNote (aka SpyMax) is feature-rich and comes with a slew of capabilities, including the ability to instal arbitrary apps, collect SMS messages, calls, videos, and audio recordings, track GPS locations, and even thwart attempts to uninstall the app. 

It also mimics the behaviour of other banking malware by requesting access to services to extract two-factor authentication (2FA) codes from Google Authenticator and record keystrokes to steal banking credentials.

SpyNote also includes features for stealing Facebook and Gmail passwords and capturing screen content via Android's MediaProjection API.

According to the Dutch security firm, the most recent SpyNote variant (dubbed SpyNote.C) is the first to target banking apps as well as other well-known apps such as Facebook and WhatsApp.

It's also known to pose as the official Google Play Store service and other generic applications ranging from wallpapers to productivity and gaming. The following is a list of some of the SpyNote artefacts, which are mostly delivered via smishing attacks:
  • Bank of America Confirmation (yps.eton.application)
  • BurlaNubank (com.appser.verapp)
  • Conversations_ (com.appser.verapp )
  • Current Activity (com.willme.topactivity)
  • Deutsche Bank Mobile (com.reporting.efficiency)
  • HSBC UK Mobile Banking (com.employ.mb)
  • Kotak Bank (splash.app.main)
  • Virtual SimCard (cobi0jbpm.apvy8vjjvpser.verapchvvhbjbjq)
SpyNote.C is approximated to have been bought by 87 different customers between August 2021 and October 2022 after its developer advertised it through a Telegram channel under the name CypherRat.

Nevertheless, the open-source availability of CypherRat in October 2022 has resulted in a significant rise in the number of samples detected in the wild, implying that several criminal groups are using the malware in their own campaigns.

ThreatFabric also stated that the original author has since begun work on a new spyware project codenamed CraxsRat, which will be available as a paid application with similar features.

"This development is not as common within the Android spyware ecosystem, but is extremely dangerous and shows the potential start of a new trend, which will see a gradual disappearance of the distinction between spyware and banking malware, due to the power that the abuse of accessibility services gives to criminals," the company said.

The revelations resulted after a group of researchers demonstrated EarSpy, a unique attack against Android devices that allows access to audio conversations, indoor locations, and touchscreen inputs by using the smartphones' built-in motion sensors and ear speakers as a side channel.

Read more »
SpyNote
Android Rat Cyber Attacks cyber espionage Cyber Espionage Campaign SpyNote

Experts Find Kurdish Espionage Campaign Active on Facebook

 

Experts at ESET have probed a targeted espionage mobile campaign towards the Kurdish ethnic group, the campaign is in action since March 2020, disseminating (through dedicated FB accounts) two android backdoors named as SpyNote and 888 RAT, appearing to be genuine apps. The profiles were found presenting android news in Kurdish and news for pro Kurds. Few profiles intentionally sent additional monitoring apps to FB groups (public) with content in Kurd's support. Data downloaded from a website hints that around 1,481 URL downloads were promoted through FB posts.

Live Security said "we identified 28 unique posts as part of this BladeHawk campaign. Each of these posts contained fake app descriptions and links to download an app, and we were able to download 17 unique APKs from these links."The latest Android 888 Rat was used by the BladeHawk and Kasablanka groups. Both the groups used false names to call out the same Android Rat- Gaza007 and LodaRat respectively. 

The espionage campaign in this article is directly linked to two cases (publicly disclosed) that surfaced in 2020. QiAnXin Threat Intelligence center identified the hacking group behind the BladeHawk campaign, which it has adopted. 

The 2 campaigns were spread through FB, via malware with built-in commercials, samples using the same C&C servers, and automated tools (SpyNote and 888 Rat). Experts found six FB profiles linked to the BladeHawk attack, distributing Android espionage. These were reported to FB and eventually taken down. 

Two FB profiles targeted tech users and the other four disguised as Pro Kurds. The profiles were made in 2020 and soon after, started distributing the fake apps. Except for one account, none of the other profiles have posted any content except Android Rat posing to be genuine applications.

"These profiles are also responsible for sharing espionage apps to Facebook public groups, most of which were supporters of Masoud Barzani, former President of the Kurdistan Region; an example can be seen in Figure 1. Altogether, the targeted groups have over 11,000 followers," reports Live Security.
Read more »
Subscribe to: Posts (Atom)