{ "id": "30202da7-c91a-46fb-a8f5-5ee728feba27", "created_at": "2026-04-06T00:11:21.335035Z", "updated_at": "2026-04-10T03:30:33.780576Z", "deleted_at": null, "sha1_hash": "265d9cd08fd0ef0711b1075aebfd30ae4efbbc25", "title": "SpyNote Android malware spreads via fake volcano eruption alerts", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3134424, "plain_text": "SpyNote Android malware spreads via fake volcano eruption alerts\r\nBy Bill Toulas\r\nPublished: 2023-10-17 · Archived: 2026-04-05 19:41:46 UTC\r\nThe Android 'SpyNote' malware was observed in attacks targeting Italy using a fake 'IT-alert' public alert service that\r\ninfected visitors with the information-stealing malware.\r\nIT-alert is a legitimate public service operated by the Italian government, specifically the Department of Civil Protection, to\r\nprovide emergency alerts and guidance to the population during imminent or ongoing disasters such as wildfires, floods,\r\nearthquakes, etc.\r\nItalian researchers at the D3Lab first spotted the fake IT-alert site, which is warning of an elevated possibility of an\r\nupcoming volcano eruption, urging visitors to install the app to remain informed.\r\nhttps://www.bleepingcomputer.com/news/security/spynote-android-malware-spreads-via-fake-volcano-eruption-alerts/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/spynote-android-malware-spreads-via-fake-volcano-eruption-alerts/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nFake IT-alert website pushing SpyNote (D3 Labs)\r\nIf the download button is clicked from an iOS device, the user is redirected to the real IT-alert site, but Android users\r\nattempting to download the app directly receive 'IT-Alert.apk.'\r\nThe APK (Android package) file installs SpyNote malware on the device, granting it permission to use Accessibility\r\nservices, which enable the attackers to perform a wide range of dangerous and invasive actions on the compromised device.\r\nhttps://www.bleepingcomputer.com/news/security/spynote-android-malware-spreads-via-fake-volcano-eruption-alerts/\r\nPage 3 of 5\n\nApp requesting to run in the background\r\n(D3Lab)\r\nSpyNote can also perform overlay injection attacks to steal user credentials when the victim opens banking, cryptocurrency\r\nwallet, and social media applications.\r\nOther documented capabilities of the particular malware include camera recording, GPS and network location tracking,\r\nstandard keylogging, screenshot capturing, phone call recording, and targeting Google and Facebook accounts.\r\nSpyNote spikes after source code leak\r\nThe SpyNote Android malware was first documented in 2022 and is now in its third major version, which is sold to\r\ncybercriminals through Telegram.\r\nIn January 2023, a ThreatFabric report warned that SpyNote detections spiked following the source code leak of one of its\r\nvariants, codenamed 'CypherRat.'\r\nSome of those who got their hands on the leaked source code created custom variants targeting specific banks, while others\r\nopted to masquerade it as Google's Play Store, Play Protect, WhatsApp, and Facebook.\r\nLate last week, a report from F-Secure highlighted the rising prominence of SpyNote, providing a detailed analysis of its\r\nfeatures and capabilities.\r\nTo defend from these threats, avoid downloading and installing APKs from outside the Play Store unless you specifically\r\ntrust the publisher.\r\nUpdate 10/18 - A Google spokesperson confirmed via a comment sent to BleepingComputer that SpyNote is not present on\r\nany apps available on Google Play, Android's official app store.\r\nhttps://www.bleepingcomputer.com/news/security/spynote-android-malware-spreads-via-fake-volcano-eruption-alerts/\r\nPage 4 of 5\n\nBased on our current detection, no apps containing this spyware are found on Google Play. Google implemented\r\nuser protections for this spyware ahead of this report's publication.\r\nUsers are protected by Google Play Protect, which can warn users or block apps known to exhibit malicious\r\nbehavior on Android devices with Google Play Services. - Google\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/spynote-android-malware-spreads-via-fake-volcano-eruption-alerts/\r\nhttps://www.bleepingcomputer.com/news/security/spynote-android-malware-spreads-via-fake-volcano-eruption-alerts/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/spynote-android-malware-spreads-via-fake-volcano-eruption-alerts/" ], "report_names": [ "spynote-android-malware-spreads-via-fake-volcano-eruption-alerts" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434281, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/265d9cd08fd0ef0711b1075aebfd30ae4efbbc25.pdf", "text": "https://archive.orkl.eu/265d9cd08fd0ef0711b1075aebfd30ae4efbbc25.txt", "img": "https://archive.orkl.eu/265d9cd08fd0ef0711b1075aebfd30ae4efbbc25.jpg" } }