SpyNote relies on SMS phishing campaigns to trick potential victims into installing the app, making it difficult to detect from the home screen.
Experts have examined the Android banking trojan, SpyNote, revealing its diverse data-gathering features. It typically spreads through SMS phishing campaigns, where it tricks users into installing the app via embedded links. Additionally, SpyNote conceals its presence from the Android home screen and the Recents screen.
In a recent analysis, F-Secure’s Amit Tambe revealed that SpyNote has the ability to externally launch its main activity through an intent. Most importantly, it actively seeks accessibility permissions, thereby granting itself additional rights for recording audio, logging calls, tracking keystrokes, and capturing screenshots via the MediaProjection API. A closer examination exposes diehard services that actively resist termination attempts by victims or the operating system, automatically restarting when shutdown is imminent. Furthermore, users who attempt to uninstall the malicious app via Settings encounter obstacles, often requiring a factory reset and resulting in data loss.
Amit Tambe explained that SpyNote, a stealthy spyware, actively logs and steals various data, such as keystrokes and call logs, making detection and uninstallation challenging. Victims are often left with the sole recourse of performing a data-wiping factory reset. This discovery coincides with a report by a Finnish cybersecurity firm, which exposes a deceptive Android app masquerading as an OS update and deceiving users into actively granting accessibility permissions, including a deceptive broadcast receiver, for the exfiltration of SMS and bank data.
Related stories: