SpyNote's New Lure: The Stealthy Campaign Using Fake App Stores • Daily CyberSecurity

Researchers at DomainTools have uncovered a persistent SpyNote Android Remote Access Trojan (RAT) campaign, where threat actors are using deceptive Google Play Store clones to lure victims into downloading malicious APKs. The campaign highlights both the enduring threat of mobile RATs and the opportunistic tactics of financially motivated cybercriminals.

SpyNote is a highly intrusive Android RAT with extensive capabilities. As the report explains, “SpyNote is a highly intrusive Android Remote Access Trojan (RAT) with extensive capabilities for surveillance, data exfiltration, and device manipulation. It can remotely control a device’s camera and microphone, manage phone calls, and execute commands.”

One of its most dangerous features is the abuse of Android Accessibility Services, which allows it to intercept and steal two-factor authentication (2FA) codes. Beyond surveillance and credential theft, SpyNote can also “remotely wipe data, lock the device, or install additional malicious applications” if granted administrator rights.

The threat actors behind this campaign rely on static clones of the Google Play Store, built with stolen HTML and CSS code. These pages convincingly mimic legitimate app listings, complete with an “Install” button that downloads malicious APK files. DomainTools notes, “The ‘Install’ button triggers a JavaScript function to download an .apk file directly from the malicious website.”

Spoofed apps include popular categories such as social/dating apps (CamSoda, Kismia, iHappy), games (8 Ball Pool, Block Blast), and utilities (Chrome, Zoom, Beauty, Compras Online). This broad targeting demonstrates the attackers’ intent to cast a wide net over general consumers.

The delivery APK (e.g., Chrome.apk) acts as a dropper. Once installed, it decrypts its hidden payload using a key derived from the app’s manifest and loads SpyNote via a technique known as DEX Element Injection.

The report explains: “The malware uses reflection to access and modify the app’s core ClassLoader at runtime, inserting its own malicious code elements at the very beginning of the code lookup path. This forces the Android system to prioritize and execute the malicious code over the app’s legitimate code.”

This technique allows SpyNote to bypass static analysis and hijack legitimate app functions. The decrypted payload then loads additional DEX files containing C2 logic, establishing communication with attacker-controlled domains via WebSockets.

The C2 infrastructure uses multiple hardcoded domains but employs obfuscation to frustrate analysis. DomainTools observed “control flow obfuscation and identifier obfuscation through random variations of o, O, and 0 for all names in an attempt to make it difficult to understand the program’s logic through static analysis.”

While this shows some evolution, the underlying infrastructure remains limited, tied to just two primary IP addresses (154.90.58[.]26 and 199.247.6[.]61).

DomainTools characterizes the actor as persistent but with limited sophistication. Despite repeated exposure, they continue to rely on the same Google Play Store cloning tactic, suggesting it remains effective against unwary consumers. The report notes, “The threat actor distributing SpyNote malware exhibits persistence and limited technical adaptability. They consistently use deceptive Google Play Store clones to lure victims.”

The campaign is financially motivated, aiming to steal credentials, exfiltrate personal data, and leverage SpyNote’s surveillance features for extortion or fraud. While attribution remains unclear, the presence of Chinese-language comments in the delivery code offers some potential clues.

Rate this post

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Related Posts:

Support Our Threat Intelligence

Related posts:

Leave a Reply Cancel reply