{ "id": "ce6d711b-c788-41ad-9694-e32b709bee6b", "created_at": "2026-04-06T00:08:57.690322Z", "updated_at": "2026-04-10T03:30:33.800559Z", "deleted_at": null, "sha1_hash": "3bd5cd5b07a10442669b75a83ae657988964619c", "title": "SpyNote continues to attack financial institutions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 6751825, "plain_text": "SpyNote continues to attack financial institutions\r\nBy Francesco Iubatti,\r\nArchived: 2026-04-05 16:18:25 UTC\r\nKey points\r\nStarting from the end of 2022, an Android Spyware called SpyNote was observed to carry out bank fraud\r\ndue to its many features.\r\nSpyNote abuses Accessibility services and other Android permissions in order to:\r\n- Collects SMS messages and contacts list;\r\n- Record audio and screen;\r\n- Keylogging activities;\r\n- Bypass 2FA;\r\n- Tracking GPS locations.\r\nThe spyware is distributed through email phishing or smishing campaigns and the fraudulent activities are\r\nexecuted with a combination of remote access trojan (RAT) capabilities and vhishing attack.\r\nDuring the months of June and July 2023, we have observed an extensive campaign against multiple\r\nEuropean customers of different banks.\r\nFigure 1 – SpyNote infection based on Cleafy telemetries\r\nIntroduction\r\nDuring the last years, Cleafy Threat Intelligence Team has discovered and analyzed multiple Android banking\r\ntrojans (e.g Sharkbot, Teabot etc), namely malicious applications used to carry out bank frauds through ATO or\r\nATS techniques.\r\nHowever, in recent months, we have observed an increase in spyware infections, particularly SpyNote (Figure 1).\r\nAlthough spyware is usually used to collect user data (and profit from them) or conduct espionage campaigns,\r\nSpyNote is currently also used to perform bank fraud. Similar campaigns were also reported by other researchers\r\nduring the current year.\r\nBy analyzing these recent campaigns, we observed that the chain of infection usually starts with a fake SMS\r\nmessage (smishing) where the user is asked to install the “new certified banking app”. A second message follows,\r\nredirecting the user to the legitimate app of TeamViewer, an app used to receive technical remote support. The\r\nhttps://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions\r\nPage 1 of 8\n\nright image of Figure 2 shows how the link redirects the user to the official app of TeamViewer QuickSupport on\r\nthe Google Play Store.\r\nFigure 2 – Examples of sms messages used during the recent SpyNote campaign.\r\nAccording to our analysis, Teamviewer has been adopted by several TAs to execute fraud operations through\r\nsocial engineering attacks. In particular, the attacker calls the victim, impersonating bank operators, and performs\r\nfraudulent transactions directly on the victim’s device.\r\nDuring our analysis, we have intercepted multiple samples masquerading behind various applications, such as\r\nsecurity apps, bank names or Android updates, as shown in Figure 3.\r\nFigure 3 – Examples of icons/names used by SpyNote\r\nMain features\r\nSimilar to other Android banking trojans, SpyNote abuses the Accessibility services granted by the victim during\r\nthe installation of the app. The spyware uses this permission to accept other permissions popups automatically\r\n(Figure 4) and perform keylogging activities.\r\nSpyNote has lots of capabilities (e.g., access to the camera or microphone of the infected device, GPS tracking\r\netc.), but in this article we will explain only the main features used to perform banking fraud.\r\nhttps://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions\r\nPage 2 of 8\n\nFigure 4 – SpyNote installation phases and permissions automatically accepted\r\nKeylogger\r\nOnce the user accepts the Accessibility popup, it allows SpyNote to see every activity done by the user on the\r\ncompromised device. In particular, the spyware tracks:\r\nThe list of applications installed on the infected device;\r\nWhich application is using the user and, in particular, some specific app properties such as package name,\r\nname, label etc.;\r\nAny text written by the user.\r\nTo keep track of the above information, SpyNote saves everything (encoded in Base64) inside a “log-yyyy-mm-dd.txt” file, in a directory created by the spyware, named: “/Config/sys/apps/log”.\r\nFigure 5 - SpyNote keylogger file\r\nThe following feature could be used by TAs to identify the bank(s) application(s) used by the user and then to\r\nsteal the credentials (as shown in Figure 6), credit card information, or other essential data.\r\nhttps://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions\r\nPage 3 of 8\n\nFigure 6 - Example of how SpyNote is able to steal bank credentials\r\nSMS Collection \u0026 2FA Bypass\r\nMultiple apps (e.g., emails, social networks, etc) allow to use two-factor authentication (2FA) codes to add an\r\nextra layer of security. This means that, in addition to the password, the user must also enter a code to log into the\r\naccount; this code can be generated by apps like Google Authenticator or sent via SMS message or email. For\r\nbanks, as established by the EU’s Payment Services Directive 2 (PSD2), it is necessary to use strong customer\r\nauthentication (SCA) to confirm a money transaction, such as through a pin sent by the bank to the user's device\r\nor fingerprint.\r\nSpyNote can gather SMS messages received by the user and transmit them to the C2 server (Figure 7) and it can\r\nalso gain access to the temporary codes generated by the Google Authenticator app, exploiting the Accessibility\r\nservices.\r\nFigure 7 - Example of SMS message stolen by SpyNote\r\nhttps://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions\r\nPage 4 of 8\n\nC2 Communications\r\nOnce installed, SpyNote contacts the C2 via socket communication using a hardcoded IP address and port within\r\nthe application code, both encoded in Base64.\r\nBy analyzing multiple samples, we observed that a characteristic of SpyNote is the use of different uncommon\r\nports (in the following sample, it uses the 7771 port) to communicate with the C2 server.\r\nThe data exchanged between the spyware and the C2 server are packaged with a custom scheme (Figure 8), where\r\nthe first bytes represent the length of the data, followed by a null byte, and then the compressed data using the\r\nGZip algorithm.\r\nFigure 8 – Example of SpyNote communication with the C2\r\nScreen Recording and Defense Evasion\r\nAnother interesting technique adopted by TAs to observe user actions and collect more information is the Media\r\nProjection APIs. This Android feature allows capturing the screen content of the device display. As shown in\r\nFigure 9, the user can see, in the notification panel, that an application, in that case “CERTIFCATO”, is projecting\r\nhis screen.\r\nhttps://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions\r\nPage 5 of 8\n\nFigure 9 – Screen recording in action\r\nDefense Evasion\r\nSpyNote uses different defense evasion techniques, such as the obfuscation of all class names (Figure 10), the use\r\nof junk code to slow down the static analysis of the code, and anti-emulator controls to prevent it from being\r\nlaunched and analyzed within an emulator or sandbox by security analysts. It is also capable of downloading\r\nadditional files from the C2 server (Figure 11).\r\nhttps://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions\r\nPage 6 of 8\n\nFigure 10 – Example of SpyNote code obfuscation\r\nFurthermore, after the installation, the application icon is not shown on the device display, and it prevents the user\r\nfrom manually removing the application via settings.\r\nConclusion\r\nAlthough this is not the first time that spyware has been used to carry out bank fraud (e.g, Revive: from spyware\r\nto Android banking trojan), this SpyNote campaign is certainly one of the most aggressive in recent times.\r\nThis research aims to show some new details about how TAs are using SpyNote and social engineering techniques\r\nto perform Account Takeover attacks (ATO) and on-device fraud (ODF) against customers of several banks in\r\nEurope.\r\nFinally, by observing the aggressiveness and extension of this recent SpyNote campaign, we assume that TAs will\r\ncontinue to use this spyware to carry out bank fraud due to the multiple functionalities.\r\nAppendix 1: IOCs\r\nIoC Description\r\n9e185dd6d7137357b61941525e935124 Md5 SpyNote (CERTIFCATO)\r\n291c24d9b3f4a5793a2600610671eb42 Md5 SpyNote (CertApp)\r\nhttps://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions\r\nPage 7 of 8\n\nIoC Description\r\n37.120.141.]144:7771 SpyNote C2 Server\r\n37.120.141.]140:7775 SpyNote C2 Server\r\nSource: https://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions\r\nhttps://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.cleafy.com/cleafy-labs/spynote-continues-to-attack-financial-institutions" ], "report_names": [ "spynote-continues-to-attack-financial-institutions" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434137, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3bd5cd5b07a10442669b75a83ae657988964619c.pdf", "text": "https://archive.orkl.eu/3bd5cd5b07a10442669b75a83ae657988964619c.txt", "img": "https://archive.orkl.eu/3bd5cd5b07a10442669b75a83ae657988964619c.jpg" } }