Keypoints
- Smishing SMS messages impersonated power and water suppliers to create urgency and direct victims to a phishing website.
- The phishing site triggered an APK download on mobile browsers and presented an installation confirmation for SpyNote spyware.
- SpyNote masquerades as legitimate apps (using realistic icons/app names) and, once launched, displays a fake settings screen to prompt enabling Accessibility services.
- Enabling Accessibility allowed the malware to disable battery optimization, grant unknown-source installation permissions, and obtain device-administrator-like control to install additional apps silently.
- The malware collects device information and sensitive user data: location, contacts, incoming/outgoing SMS, phone calls, and two-factor authentication tokens (Google Authenticator), plus account data for Gmail/Facebook.
- Observed indicators include C2 server 104.233.210.35:27772 and multiple APK samples signed under package names com.faceai.boot and com.faceai.boom (several SHA256 hashes listed).
- McAfee Mobile Security detects this threat as Android/SpyNote and alerts users to infection.
MITRE Techniques
- No MITRE ATT&CK technique IDs are explicitly referenced in the article; the report describes phishing via SMS and abuse of Android Accessibility and device-administration capabilities but does not cite ATT&CK technique codes.
Indicators of Compromise
- [C2 Server] Command-and-control server used by SpyNote – 104.233.210.35:27772
- [SHA256 Hash] Malware sample hashes observed – 075909870a3d16a194e084fbe7a98d2da07c8317fcbfe1f25e5478e585be1954, e2c7d2acb56be38c19980e6e2c91b00a958c93adb37cb19d65400d9912e6333f, and 14 more hashes
- [Package name] Malicious APK package identifiers – com.faceai.boot, com.faceai.boom
- [Application name] Impersonated / displayed app names used in lures – 東京電力 (TEPCO), 東京水道局アプリ (Tokyo Water Bureau App)
The attack chain begins with an SMS containing a URL to a phishing website; when opened on a mobile browser the site initiates an APK download and prompts the user with an installation confirmation dialog for what appears to be a legitimate utility app. The installed SpyNote samples (packages observed as com.faceai.boot and com.faceai.boom with multiple SHA256 hashes) present realistic icons and a fake settings UI to trick users into enabling Accessibility services.
After the victim enables Accessibility, SpyNote leverages those permissions to disable battery optimization (allowing background persistence), programmatically enable installation from unknown sources, and obtain elevated controls similar to device-admin capabilities. This enables silent installation of additional payloads and continuous background operation. The malware exfiltrates device metadata and user-sensitive information including location, contacts, SMS messages, call logs, and two-factor authentication data (Google Authenticator), and communicates with the C2 at 104.233.210.35:27772.
Technical detection and response should focus on blocking the C2 IP, detecting the listed SHA256 samples and package names, monitoring for Accessibility-service grants and changes to unknown-sources/install permissions, and educating users not to install APKs from SMS links. McAfee Mobile Security flags these samples as Android/SpyNote.