A new campaign is bringing back the troublesome SpyNote malware and this remote access trojan features a wide range of malicious capabilities while also being quite difficult to remove from an infected Android smartphone.
As reported by SiliconANGLE, this time around it is being spread via fake websites hosted on recently registered domains; the sites in question are imitating Google Play Store app pages with incredibly accurate detail in order to trick users into downloading infected files instead of the apps they’re looking for.
The deceptive websites include detailed elements like image carousels with screenshots of the alleged apps in question, install buttons and code remnants – all familiar visual elements that are used to create an illusion of legitimacy.
Once a user has been tricked into clicking on the install button on one of these fake sites, JavaScript code is executed which triggers a download of a malicious APK file. This dropper APK executes a function that deploys a second, embedded APK. This secondary payload is the one that carries the core functionality of the malware, and will allow it to communicate with the command-and-control (C2) servers of the threat actors using hardcoded IP addresses and ports.
The command-and-control parameters are embedded in SpyNote’s DEX files, which means it can support both dynamic and hardcoded connections. And the SSL certificates and DNS configurations point to systematic and automated deployment of these malicious sites, meaning they have likely been developed by someone with access to a malware-as-a-service tool.
SpyNote itself is a particularly nasty malware as it has a wide range of capabilities and features: It can intercept text messages, call logs and contacts; activate a phone's camera and microphone remotely; log keystrokes (including credentials and 2FA codes); track your GPS location; record your phone calls; download and install apps; wipe or lock devices remotely and prevent its own removal by abusing Android's accessibility services.
This is largely possible because of aggressive permission requests that also allow SpyNote to survive even after rebooting. It can also hide its app icon, automatically relaunch after a reboot, and exclude itself from battery optimization so it can remain running in the background. DomainTools LLC, the internet intelligence company that discovered this latest campaign, has said that because of its persistent nature, the only way to completely remove the malware is often a factory reset.
How to stay safe
Android users should be very wary about fake Google Play Store pages and make sure they're only downloading apps from a legitimate app store. Don't sideload APKs from unknown places and always, always check the URLs of the websites you're visiting.
The usual rules of phishing and good online web practices also apply: Don't click on links, QR codes or attachments from unknown or unexpected senders. Likewise, having one of the best Android antivirus apps installed on your smartphone and make sure it's kept up to date can help keep you safe from mobile malware infections.
Impersonating popular brands and services is one of the oldest tricks in a hackers' playbook which is why you need to be on the lookout at all times for fake sites, malicious ads and other lures. This way, you can keep your phone and all the sensitive personal and financial data it contains safe from hackers.
More from Tom's Guide
- Scammers are impersonating QuickBooks in last-minute tax phishing scam — and it's stealing financial data
- Windows PCs under threat from zero-day flaw used in ransomware attacks — update your computer right now
- Microsoft just patched 134 Windows security flaws including a zero-day used by hackers — update your PC right now
