{ "id": "5cc8e815-9cdf-4fad-be66-2574808e7cb8", "created_at": "2026-04-06T00:06:56.827524Z", "updated_at": "2026-04-10T03:30:33.706567Z", "deleted_at": null, "sha1_hash": "1d11be1fe5f1cff4df9160bdee66e46e8e01ee4a", "title": "SpyNote Android malware infections surge after source code leak", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2384208, "plain_text": "SpyNote Android malware infections surge after source code leak\r\nBy Bill Toulas\r\nPublished: 2023-01-05 · Archived: 2026-04-05 16:09:57 UTC\r\nThe Android malware family tracked as SpyNote (or SpyMax) has had a sudden increase in detections in the final quarter of\r\n2022, which is attributed to a source code leak of one of its latest variants, known as 'CypherRat.'\r\n'CypherRat' combined SpyNote's spying capabilities, such as offering remote access, GPS tracking, and device status and\r\nactivity updates, with banking trojan features that impersonate banking institutions to steal account credentials.\r\nCypherRat was sold via private Telegram channels from August 2021 until October 2022, when its author decided to publish\r\nits source code on GitHub, following a string of scamming incidents on hacking forums that impersonated the project.\r\nhttps://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThreat actors quickly snatched the malware's source code and launched their own campaigns. Almost immediately, custom\r\nvariants appeared that targeted reputable banks like HSBC and Deutsche Bank.\r\nSome of the banks targeted by SpyNote (ThreatFabric)\r\nIn parallel, other actors opted to masquerade their versions of CypherRat as Google Play, WhatsApp, and Facebook,\r\ntargeting a wider audience.\r\nImpersonated applications (ThreatFabric)\r\nThis activity was observed by ThreatFabric analysts, who warn about the possibility of CypherRat becoming an even more\r\nwidespread threat.\r\nSpyNote malware features\r\nAll SpyNote variants in circulation rely on requesting access to Android's Accessibility Service to be allowed to install new\r\napps, intercept SMS messages (for 2FA bypass), snoop on calls, and record video and audio on the device.\r\nhttps://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/\r\nPage 3 of 5\n\nMalicious app requesting access to Accessibility Service (ThreatFabric)\r\nThreatFabric lists the following as \"standout\" features:\r\nUse the Camera API to record and send videos from the device to the C2 server\r\nGPS and network location tracking information\r\nStealing Facebook and Google account credentials.\r\nUse Accessibility (A11y) to extract codes from Google Authenticator.\r\nUse keylogging powered by Accessibility services to steal banking credentials.\r\nTo hide its malicious code from scrutiny, the latest versions of SpyNote employ string obfuscation and use commercial\r\npackers to wrap the APKs.\r\nMoreover, all information exfiltrated from SpyNote to its C2 server is obfuscated using base64 to hide the host.\r\nThreat actors currently use CypherRat as a banking trojan, but the malware could also be used as spyware in low-volume\r\ntargeted espionage operations.\r\nThreatFabric believes that SpyNote will continue to constitute a risk for Android users and estimates that various forks of\r\nthe malware will appear as we head deeper into 2023.\r\nWhile ThreatFabric has not shared how these malicious apps are being distributed, they are likely spread through phishing\r\nsites, third-party Android app sites, and social media.\r\nFor this reason, users are advised to be very cautious during the installation of new apps, especially if those come from\r\noutside Google Play, and reject requests to grant permissions to access the Accessibility Service.\r\nUnfortunately, despite Google's continual efforts to stop the abuse of Accessibility Service APIs by Android malware, there\r\nare still ways to bypass the imposed restrictions.\r\nUpdate 1/6/23 - A Google spokesperson has sent BleepingComputer the following comment:\r\nhttps://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/\r\nPage 4 of 5\n\nGoogle Play Protect checks Android devices with Google Play Services for potentially harmful apps from other\r\nsources. Users are protected by Google Play Protect, which can warn users or block identified malicious apps on\r\nAndroid devices\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/\r\nhttps://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/spynote-android-malware-infections-surge-after-source-code-leak/" ], "report_names": [ "spynote-android-malware-infections-surge-after-source-code-leak" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434016, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1d11be1fe5f1cff4df9160bdee66e46e8e01ee4a.pdf", "text": "https://archive.orkl.eu/1d11be1fe5f1cff4df9160bdee66e46e8e01ee4a.txt", "img": "https://archive.orkl.eu/1d11be1fe5f1cff4df9160bdee66e46e8e01ee4a.jpg" } }