Keypoints
- SpyNote sample disguised as a legitimate crypto wallet (Imtoken.apk) targets Android users with crypto wallet or banking apps.
- The malware abuses the Android Accessibility API to detect wallet UIs, record unlock gestures, display overlays, and perform automated UI actions.
- An injected WebView overlay (HTML encoded in Base64) presents a fake transfer page and is displayed over the real wallet app to fool victims.
- The Accessibility-driven procedure reads the destination address and amount, replaces the destination with the attacker-controlled address provided by the remote server, clicks “Max,” and advances the transfer flow automatically.
- Social engineering is used to obtain Accessibility Service permission; once granted the app can navigate, read, click, and modify other applications without user intervention.
- Anti-analysis: the APK is intentionally malformatted (resource entries placed as directories under classes.dex and AndroidManifest.xml), causing unzip/tool errors and hindering automated analysis.
MITRE Techniques
- No MITRE ATT&CK techniques were explicitly referenced in the article.
Indicators of Compromise
- [File] Malicious APK used as lure – Imtoken.apk
- [Hash] Sample hashes – SHA1: 8eea235b26fadeecd0f817433c97747853c51a24, SHA256: caac4681389b0af7998ba8fd2062d18050a0e5e8cb4c8d0006a1b3a921ee52c8
- [Detection] Vendor detection name – Android/SpyNote.F!tr
The technical procedure centers on abusing Android’s Accessibility API combined with an overlay injection to automate cryptocurrency theft. After the malicious APK obtains Accessibility Service permission (via social-engineering prompts), it monitors running UIs to detect known crypto wallet applications, then creates a WebView overlay whose HTML is embedded in the APK as Base64. This overlay mimics a transfer screen and is displayed on top of the legitimate wallet app so the victim is unlikely to notice the substitution.
Once active, the malware uses Accessibility actions to read form fields (destination address and amount), store those values, replace the destination address with an attacker-provided wallet address (received from the remote server), programmatically click the “Max” option to select the full balance, and press Next/Continue to finalize the transfer — all without user interaction. The overlay+Accessibility combination ensures the malicious UI appears native while the real app remains unaware of the change.
To slow automated analysis, the APK is intentionally malformatted by placing resource entries as directories that conflict with expected files like classes.dex and AndroidManifest.xml; common unzip and automated unpacking tools fail with errors, complicating bulk analysis. Fortinet reports detection as Android/SpyNote.F!tr and provides the file name and hashes listed above for blocking and hunting.