SpyNote: Revealing a Complex Android Malware Threat

MITRE Techniques

• [T1660] Phishing – Delivered via deceptive download pages and phishing domains (‘distributed as a fake Avast antivirus and, upon installation, it adopts the name and icon of “Avast Mobile Security for Android”’ / ‘https[:]//avastop[.]com/Avastavv.apk’).
• [T1624.001] Broadcast Receivers – Uses broadcast receivers to auto-start services and maintain presence (‘Listens for broadcast intents and starts specific services if they are not already running’).
• [T1541] Foreground Persistence – Ensures the app remains active and visible via foreground service notifications (‘Creates and shows a high-priority notification, then starts necessary jobs and services in the background’).
• [T1626.001] Device Administrator Permissions – Requests device admin privileges to strengthen control (‘Request device administrator privileges using the DevicePolicyManager’).
• [T1628] Hide Artifacts – Hides its presence and clears traces to avoid detection (‘Hides the app icon from the launcher’ / ‘Deletes log files to remove traces’).
• [T1628.002] User Evasion – Prevents user actions that would stop or remove it (‘simulates a ‘back’ action to prevent uninstallation and escapes to the home screen’).
• [T1629] Impair Defenses – Disables protections and phishing detection to avoid being flagged (‘App includes meta-data that disables Google’s phishing detection’).
• [T1406] Obfuscated Files or Information – Employs code obfuscation to thwart static analysis (‘This specimen of SpyNote RAT is obfuscated to counter static analysis and thwart reverse engineering’).
• [T1633] Virtualization/Sandbox Evasion – Detects emulators and non-standard environments to avoid analysis (‘checks for an analysis environment, such as an emulator or virtual machine’).
• [T1417] Input Capture – Captures user input and credentials via accessibility APIs and keylogging (‘captures and stores lock screen passwords’ / ‘readAllTextOnScreen to gather all text displayed on the screen’).
• [T1430] Location Tracking – Tracks device location to monitor user movements (‘Monitors and retrieves the device’s location…sends it to a remote server’).
• [T1422] Internet Connection Discovery – Monitors network state and repeatedly checks connectivity before contacting C2 (‘monitors network traffic to check for an active internet connection’ / repeated SYNs to 45[.]94[.]31[.]96).’
• [T1517] Access Notifications – Reads and monitors notifications to capture sensitive info (‘Monitors notifications for sensitive information’).
• [T1429] Audio Capture – Records audio from the device without consent (‘Records audio without user consent’).
• [T1513] Screen Capture – Uses MediaProjection and accessibility APIs to take screenshots and continuous captures (‘startCapture method initiates a screen capture session’).
• [T1646] Exfiltration Over C2 Channel – Sends harvested data to a command-and-control server (‘sends stolen data to command-and-control servers’).
• [T1516] Input Injection – Simulates gestures and clicks to grant permissions and interact with the UI (‘leverages the accessibility service to simulate click gestures using the dispatchGesture method’).
• [T1582] SMS Control – Sends SMS messages from the device for propagation or fraud (‘The malware has the capability to send SMS messages using the device’s messaging service’).
• [T1616] Call Control – Uses telephony capabilities for calls or related actions (‘implements Call Control capabilities listed under Collection in the report’).
• [T1414] Clipboard Data – Targets clipboard contents as part of data collection (‘Collection includes Clipboard Data as a targeted artifact’).
• [T1636] Protected User Data – Accesses sensitive protected data across apps using accessibility and overlay techniques (‘Collects and stores credentials and sensitive data in external storage before deletion’).
• [T1512] Video Capture – Can record video or capture camera frames for surveillance (‘CameraHandler captures images or video from the device’s camera’).