A phishing campaign in Italy targets Android devices by delivering SpyNote malware disguised as the INPS Mobile app. Victims are lured to download a fake INPS Mobile APK from a spoofed domain, after which the app prompts for permissions and decrypts instructions using AES.
#SpyNote #INPSMobile #CERT-AGID #D3lab #INPS #Android #Italy
#SpyNote #INPSMobile #CERT-AGID #D3lab #INPS #Android #Italy
Keypoints
- The campaign aims to compromise Android devices in Italy using a SpyNote malware payload masquerading as the INPS Mobile app.
- A phishing page, reported to CERT-AGID by D3lab, imitates INPS branding to deceive victims and guide them to download the fake app.
- Following the on-page instructions, victims download an APK; after installation, the app prompts for permissions and updates.
- The APK acts as a cover to hide the real malware, which is SpyNote distributed through this fake INPS Mobile disguise.
- The malware uses a sequence of strings decrypted via nested functions to obtain AES keys, indicating encryption and obfuscation of its instructions.
- The CERT-AGID post includes screenshots and details of the fake appβs installation flow and settings access.
MITRE Techniques
- [T1566] Phishing β The attacker uses a phishing page designed to resemble the INPS site to prompt victims to download a malicious APK. Quote: βphishing page, reported by D3lab to CERT-AGID, is carefully designed with logos and content that reproduce the official ones of the Institute.β
- [T1036] Masquerading β The APK serves as a cover to hide the real malware. Quote: βThis APK serves as a cover to hide the real malware.β
- [T1027] Obfuscated/Compressed Files and Information β The app uses a sequence of strings deciphered via nested functions to obtain AES keys and decrypt instructions. Quote: βThe following Java code is illustrated for decrypting the strings: β¦β
- [T1105] Ingress Tool Transfer β The victim downloads an APK from the phishing page after pressing the Download button. Quote: βThe victim who follows the false instructions and presses the βDownloadβ button receives an APK file on their device.β
Indicators of Compromise
- [Domain] cert-agid.gov.it β context: hosts phishing content, images, and the source of the original CERT-AGID post (e.g., cert-agid.gov.it/wp-content/uploads/2024/04/spynote_inps.png; cert-agid.gov.it/news/rilevata-campagna-malware-spynote-mascherata-come-app-inps-mobile/)
- [URL] https://cert-agid.gov.it/news/rilevata-campagna-malware-spynote-mascherata-come-app-inps-mobile/ β context: Original CERT-AGID post describing the campaign
Read more: https://cert-agid.gov.it/news/rilevata-campagna-malware-spynote-mascherata-come-app-inps-mobile/