Keypoints
- Campaigns use smishing/phishing to trick users into installing SpyNote disguised as banking apps, updates, or support tools (e.g., TeamViewer QuickSupport).
- SpyNote abuses Android Accessibility services to auto-accept permission prompts, perform keylogging, read app context, and extract Google Authenticator codes.
- The spyware collects SMS messages and exfiltrates them to C2 servers to bypass SMS-based 2FA and perform on-device fraud.
- Screen and audio capture use Media Projection APIs to observe and record victim interactions during fraud operations.
- SpyNote contacts hardcoded C2 addresses over socket connections (uncommon ports such as 7771) and exchanges GZip-compressed payloads with a custom framing scheme.
- Defense-evasion includes code/class obfuscation, junk code, anti-emulator checks, hiding the app icon, preventing manual uninstall, and downloading additional Dex files from C2.
- Key artifacts such as Base64-encoded keylogger logs (log-yyyy-mm-dd.txt in /Config/sys/apps/log) are stored locally before exfiltration.
MITRE Techniques
- [T1566] Phishing – Smishing and email lures used to deliver SpyNote: [‘fake SMS message (smishing) where the user is asked to install the “new certified banking app”’]
- [T1056] Input Capture – Keylogging of user text and app context via Accessibility: [‘Any text written by the user.’]
- [T1113] Screen Capture – Recording the device display using Media Projection APIs: [‘Media Projection APIs… user can see… that an application… is projecting his screen.’]
- [T1071] Application Layer Protocol – C2 communications over socket with hardcoded IP/port and custom data framing: [‘contacts the C2 via socket communication using a hardcoded IP address and port… the data exchanged… first bytes represent the length… then the compressed data using the GZip algorithm.’]
- [T1027] Obfuscated Files or Information – Code and class name obfuscation and junk code to hinder static analysis: [‘obfuscation of all class names… the use of junk code to slow down the static analysis of the code’]
- [T1497] Virtualization/Sandbox Evasion – Anti-emulator checks to prevent execution in analysis environments: [‘anti-emulator controls to prevent it from being launched and analyzed within an emulator or sandbox’]
- [T1105] Ingress Tool Transfer – Downloading additional files/Dex from C2 to extend functionality: [‘capable of downloading additional files from the C2 server’]
Indicators of Compromise
- [MD5 hash] SpyNote sample identifiers – 9e185dd6d7137357b61941525e935124, 291c24d9b3f4a5793a2600610671eb42
- [C2 IP:port] Command-and-control servers observed – 37.120.141.144:7771, 37.120.141.140:7775
- [File path / filenames] Local artifacts and logs – /Config/sys/apps/log/log-yyyy-mm-dd.txt (Base64-encoded keylogger data), and downloaded Dex files
- [App names / icons] Malicious app disguises – “CERTIFCATO”, “CertApp”, and impersonations of banking/security apps or Android updates
SpyNote installation typically begins with smishing or phishing that convinces victims to install an app masquerading as a bank app or support tool; attackers also direct victims to legitimate TeamViewer QuickSupport instances to enable social-engineered remote transactions. During installation the malware requests Accessibility privileges and uses them to automatically accept permission prompts, enumerate installed apps, capture which app is in use (package name/label), and record any text the user types. These captured inputs are Base64-encoded and written to daily log files under /Config/sys/apps/log/log-yyyy-mm-dd.txt for later exfiltration.
For bypassing authentication, SpyNote reads incoming SMS messages and extracts temporary codes, and can scrape Google Authenticator values through Accessibility abuse. It records the screen and audio via Android Media Projection APIs to observe user actions in real time, enabling on-device fraud in combination with social engineering calls. Network behavior includes socket-based C2 connections using hardcoded, Base64-encoded IPs and uncommon ports (examples include 7771); data is packaged with a custom framing (length field + null byte + GZip-compressed payload) before transmission.
To resist analysis and removal, the malware obfuscates class names, inserts junk code, performs anti-emulator checks, hides its launcher icon, and prevents manual uninstall. It can also download additional Dex modules from the C2 to extend capability. Detection should focus on Accessibility permission abuse, new hidden apps, Base64-encoded local logs, unusual outbound sockets to the listed C2s, and recently downloaded Dex files.
Read more: https://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions