Android/SpyNote Moves to Crypto Currencies | FortiGuard Lab

Affected Platform: Android
Impacted Users: Android users with mobile crypto wallet or banking applications
Impact: Financial Loss
Severity Level: Medium

Spynote is a Remote Access Trojan that initially surfaced in 2020. Since then, it has grown into one of the most common families of malware for Android, with multiple samples, integration of other RATs (e.g. CypherRat), and a large family of over 10,000 samples. There are multiple variants and integrations of other RATs, and since 2023 there has been a growing interest in financial institutions.

On February 1st, we found a malicious sample posing as a legitimate crypto wallet that actually included the SpyNote RAT with several interesting additions related to anti-analysis and cryptocurrencies.

Accessibility API for Crypto Wallet injections

Like much Android malware today, this malware abuses the Accessibility API. This API is used to automatically perform UI actions. For example, the malicious sample uses the Accessibility API to record device unlocking gestures. Newer, this SpyNote sample uses the Accessibility API to target famous crypto wallets.

The following code recognizes the use of a legitimate crypto wallet and displays an overlay over it.

android spynote overlay code

The injected overlay consists of a WebView whose HTML is hard-coded in Base64.

android spynote html coded base64

If we decode the overlay, we get an HTML page for cryptocurrency transfers. Notice that the page apparently initiates a transfer between 2 hard-coded fake wallets. See below: the “…” in between the alleged wallet addresses are exactly as in the code (note that we censored the full addresses). For the malware analyst, it’s obvious they are fake.  However, it is likely the victim won’t notice because (1) the wallet identifiers always have many characters and are therefore difficult to verify, and (2) this will look as if it were displayed by the victim’s legit crypto wallet application (in reality, it is displayed over the real crypto wallet app, but this is not detectable).

android spynote cryptocurrency transfers

In addition, the malicious code uses the Accessibility API to automatically fill a form and transfer a given amount of cryptocurrency to the cybercriminals. Precisely, the code performs the following tasks:

  1. Reads and memorizes the destination wallet address (field input_value)
  2. Reads and memorizes the amount (field input_general_amount)
  3. Modifies the destination address and replaces it with the attacker’s crypto wallet address (initializeService.usdtadress). This address is sent by the remote server the malware communicates with.
  4. Clicks on Max (action_max). This option requests to send the full amount, not a portion.
  5. Clicks on the Next/Continue button

android spynote ops accessibility api

All of these operations are performed automatically through the Accessibility API without the user’s intervention.

Permissions for the Accessibility API

To gain access to the Accessibility API, all malware lure victims one way or another into giving them the necessary rights. This sample follows the same strategy. We remind end-users that they should never do this. While the Accessibility API is rightfully requested by apps to help people with disabilities, they should always be treated as highly suspicious coming from alleged crypto wallets, PDF Readers, Video Players, etc.

The 2 screenshots below show (1) the SpyNote malware requesting Accessibility Service and (2) how, when you grant the desired access, the Android OS displays an additional warning window explaining the risks. It is still possible at that point to click on “Deny,” and the malware won’t gain access.

android spynote permission screenshot

Unfortunately, as soon as the victim clicks on “Allow,” it is basically “game over” because the malware can navigate, click, read, and modify any application.


Besides injections into crypto wallets, the sample features an interesting, simple, but efficient anti-analysis technique. We remind users that Android Packages (APK) are ZIP files and normally contain a Dalvik executable (classes.dex), a manifest (AndroidManifest.xml), resources, and assets. In this particular case, the sample is malformatted: several resource files are meant to be present in the subdirectories of classes.dex and AndroidManifest.xml.

android spynote anti analysis malformatted

But classes.dex and AndroidManifest.xml are files, not directories. Consequently, standard unzip tools fail with lots of errors, which complicates the automated analysis of the sample.

android spynote unzip tool errors


After a growing interest in financial institutions, this new Android/SpyNote sample shows that malware authors are now taking into account cryptocurrencies. The capabilities of the malware are well beyond the mere spying of credentials as they can initiate cryptocurrency transfers.

As for anti-analysis, while the implemented technique is simple and by-passable by a human analyst, it certainly defeats—or complicates—automated analysis, giving the malware author a little more time before detection.

The sample is detected automatically by our products, and we urge Android users to pay particular attention to any application requesting the Accessibility API.

Fortinet Protections

Fortinet customers are already protected from this malware variant through our AntiVirus as follows: FortiGuard Labs detects the sample with the following AV signatures:


The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.






SHA1: 8eea235b26fadeecd0f817433c97747853c51a24
SHA256: caac4681389b0af7998ba8fd2062d18050a0e5e8cb4c8d0006a1b3a921ee52c8


Source: Original Post

“An interesting youtube video that may be related to the article above”