SpyNote: Beware of This Android Trojan that Records Audio and Phone Calls

Oct 16, 2023NewsroomMalware / Mobile Security

The Android banking trojan known as SpyNote has been dissected to reveal its diverse information-gathering features.

Typically spread via SMS phishing campaigns, attack chains involving the spyware trick potential victims into installing the app by clicking on the embedded link, according to F-Secure.

Besides requesting invasive permissions to access call logs, camera, SMS messages, and external storage, SpyNote is known for hiding its presence from the Android home screen and the Recents screen in a bid to make it difficult to avoid detection.

“The SpyNote malware app can be launched via an external trigger,” F-Secure researcher Amit Tambe said in an analysis published last week. “Upon receiving the intent, the malware app launches the main activity.”

But most importantly, it seeks accessibility permissions, subsequently leveraging it to grant itself additional permissions to record audio and phone calls, log keystrokes, as well as capture screenshots of the phone via the MediaProjection API.

A closer examination of the malware has revealed the presence of what are called diehard services that aim to resist attempts, either made by the victims or by the operating system, at terminating it.

This is accomplished by registering a broadcast receiver that’s designed to restart it automatically whenever it is about to be shut down. What’s more, users who attempt to uninstall the malicious app by navigating to Settings are prevented from doing so by closing the menu screen via its abuse of the accessibility APIs.

“The SpyNote sample is spyware that logs and steals a variety of information, including key strokes, call logs, information on installed applications, and so on,” Tambe said. “It stays hidden on the victim’s device making it challenging to notice. It also makes uninstallation extremely tricky.”

“The victim is eventually left only with the option of performing a factory reset, losing all data, thereby, in the process.”

The disclosure comes as the Finnish cybersecurity firm detailed a bogus Android app that masquerades as an operating system update to entice targets into granting it accessibility services permissions and exfiltrate SMS and bank data.