SpyNote Malware Part 2

MITRE Techniques

• [T1636.004 ] Collect SMS Messages – SpyNote can steal SMS messages as part of its data exfiltration capabilities (“Stealing SMS messages”).
• [T1636.003 ] Contact List – SpyNote accesses and exfiltrates the device contact list (“Accessing and exfiltrating contact list”).
• [T1636.002 ] Call Log – SpyNote reads call logs to gather caller information and history (“Reading call logs”).
• [T1430 ] Location Tracking – SpyNote tracks GPS location to monitor victim movements (“Tracking GPS location”).
• [T1533 ] Data from Local System – SpyNote accesses files and photos from local storage (“Accessing and potentially stealing files from external storage”, “Stealing photos”).
• [T1640 ] Device Information Discovery – SpyNote extracts device identifiers and system specs (IMEI, etc.) (“Extracting device information (IMEI, system specs)”).
• [T1657 ] Network Traffic Monitoring – SpyNote can monitor network traffic on the device (“Monitoring network traffic”).
• [T1428 ] Camera Capture – SpyNote can activate the device camera to capture photos or video (“Activating the device’s camera to capture photos or videos”).
• [T1429 ] Audio Capture – SpyNote records audio from the device microphone (“Recording audio from the device’s microphone”).
• [T1646 ] Make Phone Call – SpyNote can initiate phone calls from the device (“Making phone calls”).
• [T1645 ] Call Recording – SpyNote can intercept and record incoming phone calls (“Intercepting incoming phone calls and recording them”).
• [T1132 ] External Remote Services – SpyNote provides remote command execution via a shell or similar remote services (“Providing a shell terminal for remote command execution”).
• [T1478 ] Input Capture – SpyNote implements keylogging to capture keystrokes (“Keylogging (recording keystrokes)”).
• [T1555.004 ] Credentials in Files – SpyNote targets application credentials and can extract 2FA codes and other credentials (“Targeting credentials for various applications (banking, social media)”, “Extracting two-factor authentication (2FA) codes”).
• [T1641 ] Overlay Windows – SpyNote displays overlays for clickjacking and credential theft (“Displaying content over other applications (clickjacking)”).
• [T1485 ] Data Destruction – SpyNote can remotely wipe device data if granted privileges (“Remotely wiping data”).
• [T1486 ] Device Lockout – SpyNote can remotely lock the device (“Remotely locking the device”).
• [T1535 ] Reset Device Password – SpyNote can reset device passwords remotely (“Remotely resetting the device password”).
• [T1534 ] Install Other Software – SpyNote can download and install additional apps without user consent (“Downloading and installing new applications without user consent”).
• [T1539 ] Update Software – SpyNote supports self-updating capabilities (“Self-updating”).
• [T1574 ] File Deletion – SpyNote can delete collected data from storage (“Deleting collected data from the SD card”).
• [T1518 ] Installed Application List – SpyNote detects other installed apps to tailor targeting (“Detecting other installed applications”).
• [T1656 ] Screen Capture – SpyNote can capture screen content (“Capturing screen content”).
• [T1556 ] Webview Injection – SpyNote can inject links into webviews within apps (“Injecting web links into web view modules within applications”).
• [T1668 ] Hide Icons – SpyNote hides its app icon to avoid discovery (“Hiding its application icon from the app launcher”).
• [T1624.001 ] Event Triggered Execution: Broadcast Receivers – SpyNote automatically restarts services after reboot (“Automatically starting malicious services after device reboot”).
• [T1520 ] Persistence via System Application – SpyNote implements resilient “diehard services” to resist termination (“Implementing “diehard services” that are difficult to shut down”).
• [T1546.003 ] Disable or Modify System Configuration: Disable Battery Optimization – SpyNote excludes itself from battery optimization to stay active (“Excluding itself from battery optimization settings”).
• [T1529 ] Abuse of OS Features: Notifications – SpyNote uses silent persistent notifications to maintain presence (“Displaying continuous silent notifications to maintain a persistent presence”).
• [T1547 ] Prevent Application Uninstall – SpyNote monitors for uninstall attempts and blocks removal (“Monitoring system settings for attempts to remove the application and blocking them”).
• [T1550 ] Abuse of Accessibility Features – SpyNote hijacks Accessibility Services to simulate inputs and steal 2FA codes (“Hijacking accessibility services to simulate user inputs to prevent uninstallation”).
• [T1701 ] Application Manipulation – SpyNote automatically navigates or manipulates UI to interfere with user attempts to remove it (“Automatically navigating back to the device’s home screen when a user tries to access app settings”).