SpyNote Malware: Fake Antivirus Targets Android Users in Sophisticated New Campaign

The latest report from Cyfirma details the resurgence of SpyNote, a highly advanced Android malware that poses as a fake antivirus app, specifically masquerading as “Avast Mobile Security for Android” to deceive users. This malware disguises itself, gains permissions, and maintains a persistent presence on devices, allowing it to conduct extensive data theft, surveillance, and command-and-control operations.

SpyNote employs a clever tactic to lure users into granting permissions. Once installed, it displays itself as “Avast Mobile Security,” complete with a legitimate-looking icon. According to Cyfirma, “SpyNote leverages accessibility permission, which it uses to grant itself extensive control over the device, including excluding itself from battery optimization.” By simulating user actions, it silently grants itself further permissions in the background without the user’s awareness, enabling control over sensitive functions such as location tracking, camera access, and message reading.

Once SpyNote secures permissions, it begins intercepting and collecting data. Cyfirma’s report highlights its capabilities, noting that “SpyNote collects data, such as credentials on the external storage (sdcard), and deletes them later to remove traces.” The malware actively seeks to steal credentials, cryptocurrency wallet details, and data from other applications, targeting popular brands and maximizing its reach by exploiting device-specific vulnerabilities.

SpyNote also attempts to maintain an open communication channel with its command-and-control server. Cyfirma observed “SYN requests sent to C2 (45[.]94[.]31[.]96[:]7544)”, indicating its persistent attempts to reconnect, even when the server is offline.

SpyNote has multiple self-defense features designed to thwart removal. Cyfirma explains that “the malware uses accessibility features to simulate user touch gestures, preventing the user from performing these actions” if they attempt to remove it. Additionally, it displays misleading notifications about a fake system update, creating a continuous, silent notification that misleads users while reinforcing its presence on the device.

SpyNote’s ability to disguise itself, gain extensive control, and persist on infected devices highlights the evolving sophistication of mobile malware. Cyfirma underscores the need for enhanced cybersecurity awareness, recommending caution with unfamiliar apps and reinforcing the importance of legitimate antivirus solutions to combat threats like SpyNote.

Related Posts:

• SpyNote RAT Evolves: Targets Your Cryptocurrency Wallet
• SpyNote: The Stealthy Android Spyware Spreading via SMS
• Professional Goods & Services at Risk: Decoding CYFIRMA’s Cybersecurity Report
• Cybersecurity firm warns of actively exploited Windows IKE RCE (CVE-2022-34721) flaw
• Mekotio Trojan: A PowerShell-Based Threat Targeting Victims with Stealth and Persistence

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.