{
	"id": "a0c7e6fb-e686-4a74-ac37-2c274aed069a",
	"created_at": "2026-04-06T00:06:48.579662Z",
	"updated_at": "2026-04-10T03:24:39.877954Z",
	"deleted_at": null,
	"sha1_hash": "4497dadce5f066011fe8fbbcc2101f082a7501df",
	"title": "SpyNote: Unmasking a Sophisticated Android Malware - CYFIRMA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5937050,
	"plain_text": "SpyNote: Unmasking a Sophisticated Android Malware - CYFIRMA\r\nArchived: 2026-04-05 23:37:33 UTC\r\nPublished On : 2024-11-06\r\nExecutive Summary\r\nAt Cyfirma, we are dedicated to providing current insights into prevalent threats and the strategies employed by malicious\r\nentities targeting both organizations and individuals. This report delves into the mechanics of SpyNote, a sophisticated\r\nvariant of Android malware. This comprehensive analysis reveals the malware’s intricate methods for disguising itself,\r\nescalating permissions, maintaining persistence, and evading detection. Through detailed code examination and execution\r\nobservations, we uncover how SpyNote leverages the Accessibility Service, disguises itself as a trusted antivirus app, and\r\npersistently attempts to communicate with its command-and-control server despite network obstacles. The findings highlight\r\nthe malware’s capabilities and the critical need for robust security measures to counteract such threats.\r\nIntroduction\r\nSpyNote, a notorious Android malware, has evolved into a highly advanced threat, capable of extensive control over\r\ninfected devices. This report provides an in-depth analysis of the malware’s functionalities, based on code analysis and real-time execution observations. We examine how SpyNote disguises itself, gains permissions, and attempts to maintain a\r\npersistent presence on infected devices. By exploring the malware’s network communication attempts, permission requests,\r\nand evasion techniques, we aim to shed light on its sophisticated operations and underline the importance of comprehensive\r\nsecurity measures to mitigate such threats.\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 1 of 32\n\nKey Findings\r\nThis malware is being distributed as a fake antivirus and, upon installation, it adopts the name and icon of “Avast\r\nMobile Security for Android” to deceive users.\r\nSpyNote leverages accessibility permission, which it uses to grant itself extensive control over the device, including\r\nexcluding itself from battery optimization and enabling notifications.\r\nSpyNote simulates user gestures to grant itself further permissions silently in the background.\r\nDisplays continuous silent notifications about a fake system update.\r\nPrevents uninstallation by simulating user actions to block removal attempts.\r\nOperates in the background and can restart its services if they are stopped.\r\nEmploys obfuscation to counter static analysis and reverse engineering.\r\nImplements device-specific adaptations to ensure persistence across a variety of device brands.\r\nTargets cryptocurrencies and wallets.\r\nActively seeks to steal data from other applications installed on the device.\r\nCollects data, such as credentials on the external storage (sdcard), and deletes them later to remove traces.\r\nMonitors network traffic to check for an active internet connection and attempts to connect to a command-and-control (C2) server for data exfiltration.\r\nThe malware checks for an analysis environment, such as an emulator or virtual machine.\r\nETLM Attribution\r\nSpyNote is a Remote Access Trojan (RAT) that first emerged in 2020. Since its inception, it has become one of the most\r\nprevalent malware families targeting Android devices. The malware has evolved significantly, with multiple variants and\r\nintegrations of other RATs. Researchers have identified over 10,000 samples of SpyNote, indicating its widespread\r\ndistribution and impact.\r\nThe source code leak of one of its variants, CypherRat, in late 2022 led to a surge in infections. This malware is attributed to\r\nthe threat actor known as EVLF (also known as CypherRat). This actor has actively distributed SpyNote on platforms such\r\nas Telegram.\r\nThis version of SpyNote is being distributed as a fake Avast antivirus (Avastavv.apk) for the Android platform on a phishing\r\nsite (https[:]//avastop[.]com/Avastavv.apk) that mimics the legitimate Avast antivirus website.\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 2 of 32\n\nAvastavv.apk download page\r\nClicking on the “Download for Android” link downloads the APK file onto the device, while the iOS option redirects to\r\nApple’s App Store download page for the “AnyDesk Remote Desktop” application.\r\nSimilarly, the desktop version of the website also downloads the AnyDesk executable for Windows and Mac. The download\r\nof AnyDesk, which is a remote desktop application, indicates a broader campaign aimed at gaining remote access to devices\r\nacross multiple platforms.\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 3 of 32\n\nDesktop version of phishing website\r\nWe have identified the following 14 domains involved in this campaign, all hosting the same phishing website and the fake\r\nAvast antivirus software for different platforms, including SpyNote:\r\navastop[.]com\r\navastxo[.]com\r\navastbk[.]com\r\navastpx[.]com\r\navastcsw[.]com\r\navastsf[.]com\r\navastsp[.]com\r\navastpy[.]com\r\navastwp[.]com\r\navastkb[.]com\r\navastxv[.]com\r\navastga[.]com\r\navastsgp[.]com\r\navastpst[.]com\r\nThreat Landscape:\r\nThe threat landscape in which SpyNote operates is increasingly complex and dynamic, characterized by rapid advancements\r\nin cybercriminal tactics and technologies. This landscape includes a proliferation of sophisticated malware families,\r\nextensive use of social engineering to deceive users, and the exploitation of vulnerabilities in widely used software and\r\nplatforms. Attackers are leveraging innovative methods to bypass security measures, such as using obfuscation techniques to\r\nevade detection by static analysis tools and employing advanced persistence mechanisms. Additionally, the rise of mobile\r\nmalware targeting both personal and enterprise devices underscores the importance of robust cybersecurity strategies to\r\nprotect sensitive data and maintain operational integrity in an ever-evolving digital environment.\r\nAnalysis of SpyNote RAT\r\nFile Details\r\nFile Name Avastavv.apk\r\nFile Size 38.63 MB (40509787 bytes)\r\nSigned Not signed\r\nMD5 214aad6338d607df7ec75a2c48af09d5\r\nSHA-256 94a3b1fc830323234f5ac6e69cf0840507c23e15bee5c8c3aa86fddaf61ef8b1\r\nAPK signature verification Valid APK signature\r\nThis specimen of SpyNote RAT is obfuscated to counter static analysis and thwart reverse engineering attempts. Due to this\r\nobfuscation, decompilers and other static analysis tools encounter errors when trying to decompile, decode, or read the APK\r\nfile:\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 4 of 32\n\nError in reading the manifest file\r\nError while decoding resource data\r\nWe successfully deobfuscated the AndroidManifest.xml file, uncovering extensive information about permissions,\r\ncapabilities, and more. The malware’s package name is produces.amber.ultra, targeting devices running Android 5\r\n(minSdkVersion=21) to Android 10 (targetSdkVersion=29):\r\nTarget android versions\r\nPermissions Overview:\r\nThis version of SpyNote malware requires several permissions to operate at its full potential. The manifest file lists\r\nnumerous permissions, indicating the capabilities and potentially malicious activities of the malware. The permissions\r\ndeclared in the manifest file are as follows:\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 5 of 32\n\nPermissions declared in the manifest file\r\nSEND_SMS, READ_SMS: The malware requests messaging permissions, enabling it to send and read SMS\r\nmessages, which could be used for spreading malware or incurring charges on the user’s account.\r\nREAD_CALL_LOG, READ_CONTACTS, GET_ACCOUNTS: Permissions for accessing call logs, contacts, and\r\naccounts highlight its capability to steal sensitive user information.\r\nCAMERA, RECORD_AUDIO: The inclusion of multimedia permissions allows it to spy on users through the\r\ncamera and microphone.\r\nACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION: Location permissions enable it to track the\r\nuser’s whereabouts.\r\nDISABLE_KEYGUARD, RECEIVE_BOOT_COMPLETED, FOREGROUND_SERVICE: System control\r\npermissions help the malware maintain persistence and control over the device.\r\nSYSTEM_ALERT_WINDOW, READ_PHONE_STATE: Permissions indicate that the malware can overlay\r\nWindows on top of other apps and access detailed phone state information.\r\nACCESS_NETWORK_STATE, ACCESS_WIFI_STATE, INTERNET, CHANGE_WIFI_STATE: Networking\r\npermissions enable the malware to manipulate network settings and communicate with command-and-control\r\nservers.\r\noppo.permission.OPPO_COMPONENT_SAFE, oplus.permission.OPLUS_COMPONENT_SAFE: Device-specific permissions suggest that the malware is designed to target multiple brands and models. These components\r\nprovide some safety features and allow apps to access certain system components or settings in a secure manner, such\r\nas battery-saving modes or startup managers.\r\nSET_ALARM, REQUEST_IGNORE_BATTERY_OPTIMIZATIONS, REQUEST_INSTALL_PACKAGES,\r\nREQUEST_DELETE_PACKAGES: Additionally, permissions for setting alarms, requesting to ignore battery\r\noptimizations, and managing package installations further underline its extensive control over the device.\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 6 of 32\n\nThese permissions collectively reveal that the malware is equipped to perform a wide range of malicious activities, including\r\nspying, data theft, communication manipulation, and maintaining persistent control over the infected device.\r\nIn Android 5, users must grant these permissions at the time of installation. From Android 6 and above, users must explicitly\r\ngrant permissions at runtime. However, SpyNote circumvents these restrictions by leveraging a single service to obtain all\r\nthe desired permissions (see the Malware Dynamics section for more details).\r\nMalware’s Intentions:\r\nThe manifest file contains numerous intents and packages declared under the \u003cqueries\u003e tag. These intents (essentially intent-filters here) alongside the declared packages provide crucial insights into the malware’s operational objectives. They reveal\r\nhow the malware interacts with various device components, intercepts user activities, and performs unauthorized actions.\r\nPackage analysis:\r\nThe malware queries several packages, indicating the specific targets and potential interactions it seeks to exploit. This\r\nprovides insight into the range of applications and services the malware is designed to interact with, potentially intercepting\r\nor manipulating them for malicious purposes.\r\nCustom and Obfuscated Packages: These custom and highly obfuscated package names (the first three packages in\r\nthe list shown above) are likely used to confuse analysis and make the malware harder to detect. The use of such\r\nobscure names suggests an attempt to evade detection and complicate static analysis.\r\nObfuscated package names\r\nAnalytics, Ads Management and Communication: The manifest file references several packages, such as\r\nproduces.adsmanager and produces.analytics, which are not found in the code hierarchy. This discrepancy suggests\r\nthese packages may have been obfuscated or dynamically loaded to evade detection, indicating the potential for\r\nadditional hidden functionalities or malicious activities.\r\nSystem, Security Management and Device Manufacturers: These packages are related to various security and system\r\nmanagement apps from different device manufacturers, as well as core functionalities and settings of devices. They\r\naim to interact with or manipulate these security and device management apps, possibly to disable them, exploit their\r\nfeatures for malicious purposes, or maintain persistence on the device.\r\nMedia and Social Apps: These packages appear to be related to media and social apps, including Instagram and\r\nrelated services. The malware may target these apps to intercept or manipulate media and social interactions,\r\npotentially compromising user privacy and data integrity.\r\nMedia and social apps packages\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 7 of 32\n\nVR and Meta Platforms: These packages are related to Oculus VR and Meta platforms, suggesting potential targeting\r\nof VR platforms to manipulate or intercept VR experiences or data. As many of the packages are not used or\r\nreferenced in the code, the \u003cpackage\u003e declarations are likely meant to mask the malware by associating it with\r\nknown, legitimate apps or services. By listing these, the malware attempts to blend in and reduce suspicion.\r\nPackages: VR \u0026 Meta platforms\r\nIntent-Filter Analysis:\r\nViewing URLs: This intent-filter specifies that the app can handle the VIEW action for URLs with the scheme\r\n“https” and host “messenger[.]com”. By declaring this intent-filter, the malware indicates it can intercept and\r\nmanipulate attempts to view URLs associated with Facebook Messenger. This could lead users to phishing sites or\r\nmalicious web pages designed to steal personal information.\r\nHandling Data Actions: These intent-filters allow the app to handle the VIEW, SEND, PICK, and SEND_MULTIPLE\r\nactions for any MIME type. By declaring these intents, the malware indicates it can intercept, manipulate, and send\r\nany type of data, significantly broadening its scope of data interaction and exfiltration.\r\nIntercepting WhatsApp Services: These intents allow the app to monitor and interfere with WhatsApp services,\r\nparticularly in the context of instrumentation callbacks, payment setups, and OTP retrieval. This enables the malware\r\nto capture sensitive information and manipulate payment processes in WhatsApp and WhatsApp Business. By\r\nintercepting OTPs, it can facilitate unauthorized transactions and access. Additionally, the packages suggest that the\r\nmalware interacts with Google’s system and migration services, indicating potential manipulation or exploitation of\r\ndevice migration and data restoration processes. This could lead to unauthorized data access or control during these\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 8 of 32\n\noperations.\r\nExecution Pathways and Behavior:\r\n1. Main Activity:\r\nThis declaration sets MainActivity as the main entry point of the app, which is launched when the user taps the app icon.\r\nAdditionally, the main activity can be launched by other apps or the system. The app appears with the label “Avast,”\r\npotentially disguising itself as a legitimate and trusted application to evade initial suspicion and encourage installation.\r\nMain Activity\r\nThe class produces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrxeojs2.MainActivity is equipped with initial\r\nverification methods to detect analysis environments. This method detects if the app is running on an emulator by checking\r\nvarious device properties, such as brand, device name, fingerprint, hardware, model, and product.\r\nCode snippet: Analysis environment detection\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 9 of 32\n\nIf any of these properties match known emulator signatures, the method returns true, indicating that the app is running in an\r\nemulated environment. By displaying an alert/warning that emulator devices are not supported, the malware seeks to avoid\r\ndetection and analysis. This method helps the malware remain undetected and fully operational on real user devices.\r\nEmulator detection alert\r\nSecurity researchers often use emulators to safely study malware behavior, so this tactic discourages or even outright\r\nprevents analysis by making the malware appear non-functional in these environments.\r\nThe MainActivity class is also responsible for setting up the primary interface and functionality of SpyNote. It initializes\r\nkey components such as WebView and handles file uploads through a file chooser. The activity defines various\r\nOnClickListeners to manage user interactions, including closing the activity and opening Wi-Fi settings. Additionally, it\r\nperforms essential actions, such as checking for internet connectivity, and ensuring the app can communicate with its remote\r\nserver.\r\n2. Exported Activities:\r\nSpyNote employs numerous activities that act as entry points for the malware, known as exported activities. These activities\r\ncan be launched by other applications or the system, broadening the scope of interaction and exploitation. Here’s an example\r\nof one such activity used by the malware:\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrxeojs2.seyzoofftdvqmzujpzrnvvtyzyyovqgtcszoiyvtgxfaymsjxr2\r\nis the class invoked by this activity. It ultimately sets its content view to the layout located in the resource section\r\n(resources.arsc/layout/activity_req_access.xml) to request accessibility permissions.\r\nIf the user grants Accessibility Service permissions to the malware on the device, the malware retrieves the necessary\r\npermission array from the utilities class and proceeds to request additional permissions. This grants the malware extensive\r\ncontrol over the device, enabling it to perform various malicious activities without further user intervention:\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 10 of 32\n\nCode snippet: permissions in utilities class\r\nRequesting permissions by calling ActivityCompat class\r\nTo automatically obtain these permissions, SpyNote leverages the accessibility service to simulate click gestures using the\r\ndispatchGesture method. This allows the malware to grant permissions on behalf of the user, ensuring it gains extensive\r\ncontrol without requiring further user intervention:\r\nCode snippet: Simulating click gesture\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 11 of 32\n\nTo conceal its activity from the user, it displays a blank screen while obtaining all the desired permissions. Once the\r\npermissions are granted, it transitions to the home screen and clears all recent tasks, effectively hiding any traces of its\r\nactions:\r\nCode snippet: clears recent task and moves to home screen\r\nOther potential entry points for this variant of SpyNote are as described follows:\r\nExported Activity/Receiver Purpose\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrxe\r\nojs2.FloatingView\r\nIt intercepts key events for\r\nthe home, back, and menu\r\nbuttons, preventing their\r\ndefault actions. The activity\r\nincludes custom WebView\r\nclients to manage web\r\ncontent and a JavaScript\r\ninterface to handle data\r\nreturned from JavaScript.\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrxe\r\nojs2.wjbcywllmqlrhvwntgrydibuivuhvvehktwvjkzeoefmbsvsne4\r\nCraxsBrowser\r\nThis class uses WebView to\r\ndisplay web content. It\r\nhandles file uploads, extracts\r\npasswords from web pages,\r\nand stores the data on the\r\ndevice. By presenting itself\r\nas a web browser, it aims to\r\nphish user credentials and\r\nstore them for later retrieval.\r\nProduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrxe\r\nojs2. CameraActvity\r\nActs as a trigger to start\r\nCameraHandler\r\n, which manages the camera\r\noperations and transmits\r\ndata to a remote server.\r\nProduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrx\r\neojs2. RequestScreenCap\r\nFacilitates continuous\r\nmonitoring of the device’s\r\nscreen, capturing sensitive\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 12 of 32\n\ninformation without user\r\nconsent.\r\nProduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrx\r\neojs2. SecondActivity\r\nPerforms a variety of tasks\r\nrelated to managing\r\npermissions, detecting\r\nemulator environments, and\r\nensuring specific services\r\nare running.\r\nProduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrx\r\neojs2. WakeupActivity\r\nWake up the device and\r\nkeep the screen on briefly,\r\npossibly to perform some\r\nbackground task or update,\r\nensuring the device is in an\r\nactive state temporarily\r\nwithout user intervention.\r\nProduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrx\r\neojs2. RequestUninstall\r\nManages the uninstallation\r\nof an app by its package\r\nname. Initiates the\r\nuninstallation process,\r\nawaits the result, and\r\nupdates the state based on\r\nthe success of the\r\nuninstallation.\r\nProduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrx\r\neojs2. RequestInstallPrim\r\nLeverages accessibility\r\npermissions to automatically\r\nenable the installation of\r\napps from unknown sources,\r\nbypassing the need for user\r\ninteraction.\r\nProduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrx\r\neojs2. installupdate\r\nChecks for and requests\r\nstorage permissions then\r\nupdates or installs an APK\r\nfrom a specified location on\r\nexternal storage. It ensures\r\nthe APK is installed without\r\nuser intervention.\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrx\r\neojs2.etvjgdsitzvcgdjdtwchlbfzhpfusnqtosxuxzomdorljbuzad5\r\nCustomReceiver\r\nListens for broadcast intents\r\nand starts specific services if\r\nthey are not already running.\r\nThis ensures the malware\r\nremains active and persistent\r\nin the background.\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 13 of 32\n\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykr\r\nxeojs2.etvjgdsitzvcgdjdtwchlbfzhpfusnqtosxuxzomdorljbuzad5. ScreenReceiver\r\nCreates and shows a high-priority notification, then\r\nstarts necessary jobs and\r\nservices in the background.\r\nThis ensures the malware\r\nremains active and auto-starts its activities.\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrx\r\neojs2.zguvfncxxhhdqujvjitsgjdhyzmtuaozzdwkzeyexxuhhimiru22Over\r\nObtains the \"Draw Over\r\nApps\" permission, enabling\r\nthe malware to display\r\noverlays on other\r\napplications. This can be\r\nused for phishing attacks,\r\ncapturing sensitive\r\ninformation,\r\nor maintaining persistence\r\nby displaying deceptive\r\ncontent over legitimate apps.\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykr\r\nxeojs2. RequestDataUsage\r\nDisable data saver/\r\nbackground data restrictions\r\nfor the malware using\r\naccessibility service if,\r\nallowing it to use data in the\r\nbackground.\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrx\r\neojs2. RequestVPN\r\nInteracts with VPN\r\nconfigurations, potentially\r\nchanging or requesting VPN\r\nconnections using\r\nVpnService\r\n. It starts the\r\nFirewallServices\r\nservice to manage the VPN\r\nconnection.\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrx\r\neojs2.ydwlbbxtbltjeualxfwibizdrhltewtvbusneeiqmqqahdtdwc29\r\nChecks and requests\r\nnecessary permissions for\r\nthe app. It leverages\r\naccessibility permissions to\r\nautomatically handle\r\npermission requests without\r\nuser interaction.\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 14 of 32\n\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrxe\r\nojs2. RequestPermission2\r\nChecks and requests specific\r\npermissions for the app,\r\nleveraging accessibility\r\npermissions to automatically\r\nhandle permission requests\r\nwithout user interaction. If\r\nthe permissions are already\r\ngranted, the activity finishes;\r\notherwise, it requests the\r\nnecessary permissions.\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrxe\r\nojs2.zqackuuqpedtlvjluyqjofhkwxqflevinalgfldcsibssaelch21\r\nThis class requests to ignore\r\nbattery optimizations for the\r\napp, leveraging accessibility\r\npermissions to automate this\r\nprocess, ensures the\r\nmalware can run in the\r\nbackground without being\r\naffected by battery saving\r\nfeatures.\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrx\r\neojs2. RequestAdmin\r\nRequest device\r\nadministrator privileges\r\nusing the\r\nDevicePolicyManager\r\n.\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrxeojs2.flyActivity\r\nCreates an activity that\r\nmoves to the background\r\nupon resuming, periodically\r\nsends broadcasts, and\r\nrestarts specific services if\r\nthey are not running.\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrxe\r\nojs2. OpenActivity\r\nOpenActivity can launch\r\nother apps without the user’s\r\nknowledge or consent. This\r\ncan potentially be exploited\r\nto open malicious apps or\r\nperform unauthorized\r\nactions.\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrxe\r\nojs2. OpenChrome\r\nAllows to open web pages\r\nprogrammatically, and this\r\ncan be exploited to direct\r\nusers to malicious websites\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 15 of 32\n\nwithout their knowledge or\r\nconsent.\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrxe\r\nojs2.etvjgdsitzvcgdjdtwchlbfzhpfusnqtosxuxzomdorljbuzad5. BootReceiver\r\nIt ensures that several\r\nservices are started after the\r\ndevice boots up. By using\r\naccessibility permissions, it\r\nautomates the process to\r\nmaintain persistent\r\nbackground activity and\r\nservice operation for the\r\nmalware.\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrxe\r\nojs2.etvjgdsitzvcgdjdtwchlbfzhpfusnqtosxuxzomdorljbuzad5. PackagesReceiver\r\nListens for package-related\r\nbroadcasts and starts\r\nspecific services if they are\r\nnot running.\r\nIt also handles auto-start\r\nconfigurations and updates\r\nsettings based on the\r\nbroadcast package\r\ninformation.\r\nproduces.amber.bmhdormajmedhcyhihvutwwngtdaildnxsqxavxqtsykrxe\r\nojs2.etvjgdsitzvcgdjdtwchlbfzhpfusnqtosxuxzomdorljbuzad5. Datareciver\r\nListens for broadcast intents\r\nand starts certain services if\r\nthey are not already running.\r\nThis ensures the malware\r\nremains active and persistent\r\nin the background.\r\nproduces.amber.AdminReceiver\r\nManages device\r\nadministration events and\r\nuser notifications. It can\r\nmanipulate device settings,\r\nparticularly related to\r\nbattery management.\r\nSupport the malware’s goal\r\nof maintaining control over\r\nadministrative tasks and\r\nensuring it remains active on\r\nthe device.\r\nService:\r\nSpyNote employs various services to run its operations, ensuring persistence and seamless execution of background tasks.\r\nThese services handle everything from data collection to maintaining active connections with command-and-control servers.\r\nBy using such services, SpyNote can perform long-running operations, manage device settings, and interact with other\r\nsystem components without user intervention.\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 16 of 32\n\nIn the Android ecosystem, developers must declare services in the AndroidManifest.xml file to ensure that the system can\r\nrecognize, manage, and interact with them properly. Malware creators cannot hide service declarations, as the service class\r\ndeclarations cannot be hidden or obfuscated.\r\nThe following services have been declared in the AndroidManifest.xml file, each playing a critical role in supporting the\r\nmalware’s operations:\r\ninitializeService: This core service sets up and maintains essential components for the malware’s operations. It\r\nensures persistent background activity, manages directories, registers broadcast receivers, and keeps specific services\r\nrunning.\r\nCameraHandler: Captures images or video from the device’s camera. Uses the camera’s preview callback to\r\ncontinuously capture, potentially for surveillance or data theft. Runs in the background, using the device’s resources\r\nwithout the user’s knowledge.\r\nLocationService: Monitors and retrieves the device’s location. Uses LocationManager and LocationListener for\r\nupdates from GPS and network providers. Collects location data (longitude, latitude, accuracy, speed) and sends it to\r\na remote server. Ensures continuous tracking by re-registering for updates and managing permission checks. Allows\r\npersistent tracking of device movements.\r\nAccessService: This is a complex and multifaceted service that leverages Android’s Accessibility Service to automate\r\nand control various aspects of the device. It simulates user interactions, captures and sends sensitive information,\r\nmanipulates settings, and performs actions typically requiring user intervention. This makes it highly effective for\r\nmalicious activities like spying, capturing passwords, and gaining unauthorized access to functions and data.\r\nAccessService class extends AccessibilityService\r\nThe following are the capabilities of AccessService class:\r\nCredential Harvesting: Captures and stores lock screen passwords.\r\nScreen Capture: Captures and sends screenshots.\r\nAutomated Clicks: Simulates screen taps with clickthis() and clickAtPosition().\r\nGlobal Actions: Performs system-wide actions, such as moving to the home screen.\r\nData Saving and Retrieval: Saves text and data into files, retrieves stored data using methods like RDF() and\r\ngetPwdType().\r\nService Management: Ensures services like initializeService and\r\nfpamecjtdiiagxwytwqeokjohzzmscsofxpitkaimgimvxwwld38 are running.\r\nData Transmission: Transmits collected data to remote servers.\r\nNotification Handling: Configures and displays notifications with MakeNotifier().\r\nScreen Status Listening: Listens for and handles screen status changes.\r\nGesture Execution: Executes custom gestures using ExecGestureInterface.\r\nDrawing on Screen: Simulates drawing gestures on the screen using mouseDraw().\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 17 of 32\n\nUnlock Screen Handling: Monitors and captures password inputs from the lock screen with checkPassword().\r\nBackgroundWorker: An IntentService that handles background tasks, managing its state and behavior. Ensures\r\npersistence and continuous operation of certain services, even if stopped by the user. Maintains a background\r\npresence, like monitoring user activity or displaying unwanted overlays.\r\nfpamecjtdiiagxwytwqeokjohzzmscsofxpitkaimgimvxwwld38: This Android Service class manages device operations,\r\nnetwork communications, and background tasks. It handles starting/stopping services, managing wake locks, and\r\nnetwork connections.\r\nFirewallServices: A service that extends Android VpnService class for managing VPN connections. It starts, stops,\r\nand checks VPN status, and handles network tasks. Implements Handler.Callback and Runnable to process messages\r\nand background tasks. Simulates network activities to intercept and redirect traffic, capturing sensitive information.\r\nEnsures persistent VPN connections for data exfiltration or command and control communications, and manipulates\r\nnetwork configurations to bypass security measures.\r\nncucydzeolnlmrvmgzsluovzmtlhrsabtholfgryhqyfjavbvl27ture: An Android Service class for screen capture\r\nfunctionality that starts and stops captures, manages notifications, and sends captured data. It can create virtual\r\ndisplays and handle media projection callbacks, intercepting and recording sensitive screen information like\r\npasswords and private messages. This service ensures persistent screen capture for continuous monitoring of user\r\nactivities.\r\nMyJobService: An Android Service class for maintaining the persistence of malicious services. It continuously\r\nchecks and restarts services like BackgroundWorker, keeping a background presence on the device for activities like\r\nmonitoring user activity or performing unauthorized actions.\r\nKeyboardService: This is an Android InputMethodService class that manages a custom keyboard input method. It can\r\nintercept and record every keystroke, potentially capturing sensitive information, such as passwords, credit card\r\nnumbers, and personal messages. By persisting in the background, it can continuously monitor user inputs without\r\ndetection.\r\n3. Meta-data:\r\nPhishing Detection Disabled: The app includes the following meta-data in the manifest file\r\nThis meta-data entry indicates that the app has disabled Google’s phishing detection. This decision could potentially expose\r\nusers to phishing risks, as the additional layer of protection against phishing attempts is turned off.\r\nKey Actions:\r\nScreen Capture: The startCapture method initiates a screen capture session using the Android MediaProjection API. It\r\nsets up the necessary display dimensions, initializes the projection and virtual display, and registers a callback to\r\nhandle the stop event of the projection. Essentially, it allows the app to capture and monitor everything displayed on\r\nthe device’s screen, which can be used to intercept sensitive information or continuously monitor user activity.\r\nCode snippet: screen capture\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 18 of 32\n\nScreenshot: The takeScreenshot method captures a single frame of the device’s screen, providing a snapshot of the\r\ncurrent display. It uses the Accessibility Service API to capture this image, enabling the app to intercept and analyze\r\nthe visual data.\r\nCode snippet: taking screenshots\r\nKey Logging: The malware uses methods like checkPassword to monitor and record keystrokes. By tracking\r\nkeyboard events, it can capture sensitive information, such as passwords, credit card numbers, and personal\r\nmessages.\r\nCode snippet: captures password inputs\r\nGather text from screen: The malware employs methods like readAllTextOnScreen to gather all text displayed on the\r\nscreen. By recursively traversing the accessibility node hierarchy, it collects and aggregates text content from various\r\nUI elements. This gathered text can include sensitive information, such as messages, passwords, and personal data.\r\nCode snippet: gather text from screen\r\nSefl-protection: The malware employs several tactics to protect itself from detection and removal. This includes\r\nmethods to check if it’s running in an emulated environment. If an emulator is detected, it displays alerts or exits to\r\navoid analysis by researchers. Additionally, it hides its activities by displaying a blank screen while requesting\r\npermissions and by clearing recent tasks once actions are completed. The SendHome method is used to escape to the\r\nhome screen when the user attempts to open the malware’s app settings, further concealing its presence and avoiding\r\nuser interference.\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 19 of 32\n\nEscape to home screen\r\nSend SMS: The malware has the capability to send SMS messages using the device’s messaging service. This can be\r\nused to send unauthorized messages, potentially incurring charges to the user or spreading malicious links to the\r\nuser’s contacts. By leveraging this functionality, the malware can propagate itself or execute phishing attacks, further\r\ncompromising the security and privacy of the device owner.\r\nCode snippet: sends text messages\r\nSimulate user interactions: The malware can automate touch inputs to navigate the system or interact with other apps.\r\nThis includes executing unauthorized actions, such as accepting permissions, making purchases, or modifying\r\nsettings without user consent. By simulating these interactions, the malware can perform a wide range of malicious\r\nactivities while the user remains unaware.\r\nCode snippet: simulate user interactions\r\nTarget web browsers: The AccessService class includes functionality to interact with web browsers by leveraging\r\naccessibility features. Specifically, the getSupportedBrowsers method lists several web browsers, such as Chrome,\r\nFirefox, Samsung Browser, Brave, Opera, DuckDuckGo, and others, indicating that the malware can target these\r\nbrowsers. It can monitor and manipulate user interactions with these browsers, potentially redirecting users to\r\nmalicious sites or capturing sensitive data, such as login credentials.\r\nCode snippet: targeted web browser\r\nLog User Data: The malware writes strings to a log file in the external storage, collecting and storing sensitive\r\ninformation, such as keystrokes, captured text, or other user inputs. This ensures that it can maintain logs over time,\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 20 of 32\n\nallowing for persistent data exfiltration. By continually logging this data, the malware can harvest a wealth of\r\ninformation from the device.\r\nCode snippet: logging data\r\nDeletes log: The malware includes functionality to delete specific log files from the device, as demonstrated by the\r\nclearUnLockPwd method. This method deletes several files in the directory /Config/sys/apps/loge/, such as\r\npwdss.text, pwdsz.text, pwd.text, and pwdtype.text. By removing these files, the malware effectively erases traces of\r\nits activities, making it harder for users or security tools to detect and analyze the collected data.\r\nCode snippet: delete logs\r\nGather User Data Across Applications: While this service is designed to assist users with disabilities by providing\r\nalternative ways to interact with their devices, the malware exploits it to capture sensitive information from any app.\r\nBy monitoring all accessibility events, it can gather text from input fields, capture screenshots, and log keystrokes.\r\nThis allows the malware to collect personal data, such as passwords, credit card numbers, and messages.\r\nObfuscation: The malware employs code obfuscation techniques to make its analysis and reverse engineering\r\ndifficult. By obfuscating class names, method names, and other identifiers, it becomes challenging for security\r\nresearchers and automated tools to understand and analyze the code. For example, inserting obfuscation strings\r\nbetween the actual parameters, as shown below, is intended to make reverse engineering and static analysis much\r\nmore difficult. This technique protects the malware’s functionality and intent from being easily uncovered.\r\nAdditionally, several classes contain repetitive and unused code, essentially acting as obfuscating ‘garbage code’.\r\nCode snippet: obfuscation in codes\r\nHides the app icon from the launcher: The malware can hide its app icon from the launcher to avoid detection by the\r\nuser. To achieve this, it disables the MainActivity component through the PackageManager when a specific condition\r\nis met.\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 21 of 32\n\nCode snippet: hide app icon\r\nIgnore Battery Optimizations: The malware checks if the device is ignoring battery optimizations to ensure\r\ncontinuous background operation. For example, If the app is running on Android Marshmallow (API level 23) or\r\nlater, it uses the PowerManager to check if battery optimizations are disabled for the app. If so, it ensures that the app\r\ncan run continuously in the background without being restricted by the device’s power-saving features.\r\nDetect analysis environment: In the MainActivity and SecondActivity classes, the malware attempts to detect if it is\r\nrunning on an emulator, SDK x86 environment, or VirtualBox (vbox86p). By examining system properties and build\r\ninformation, it identifies signs that indicate an emulated/virtual environment. This helps the malware avoid analysis\r\nand detection by security researchers who often use emulators to study malware behavior.\r\nCode snippet: verifying virtual environment\r\nCheck SIM Card Availability: The malware verifies if a SIM card is available and ready for use on the device. This\r\ncheck ensures that the device can support cellular communication, which is essential for certain malicious activities\r\nlike sending SMS or making calls. By avoiding the execution of certain actions if the device is in airplane mode or\r\nlacks a SIM, the malware operates efficiently without errors. Additionally, this check helps the malware detect virtual\r\nenvironments.\r\nChecking for sim card\r\nCheck for active internet: In the MainActivity, the malware checks for an active internet connection to ensure it can\r\ncommunicate with its command-and-control servers and perform online tasks. By verifying network connectivity, it\r\nensures that it can send and receive data without interruption, maintaining its malicious operations effectively.\r\nScreen Overlay and Activity Logging: The malware displays an overlay or monitor view on the screen for various\r\nmalicious purposes, such as capturing user interactions or misleading the user. Additionally, it logs or reports\r\nactivities in an obfuscated manner to evade detection and analysis.\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 22 of 32\n\nCode snippet: active monitoring\r\nDownloads additional components: The malware can download additional components or updates from remote\r\nservers. This capability allows it to extend its functionality, install new malicious payloads, or update existing ones to\r\navoid detection.\r\nCode snippet: downloading component\r\nTarget Cryptocurrencies and wallets: The malware targets popular cryptocurrency wallets such as Trust Wallet and\r\nBinance Wallet. It specifically targets cryptocurrencies like Bitcoin (BTC), Ethereum (ETH), and Tether (USDT). By\r\ntargeting these wallets and currencies, the malware aims to intercept and steal sensitive information, such as private\r\nkeys and transaction details, to gain unauthorized access to the user’s cryptocurrency holdings.\r\nCode snippet: sets up a WebView to inject into the Binance Wallet app (Binance class)\r\nDecoded code from ‘Binance’ class\r\nChecks if the Bitcoin (BTC) balance in the Trust Wallet app is empty and attempts to retrieve it using different methods\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 23 of 32\n\nBrands on target: The malware targets a wide range of smartphone brands to maximize its reach and effectiveness.\r\nThese brands include HTC, Huawei, Honor, Lenovo, LG, LeMobile, Meizu, Nova, Oppo, Realme, Samsung, Sony,\r\nVivo, and Xiaomi, including its sub-brands Mi and Redmi. By targeting these popular brands the malware ensures it\r\ncan infect a diverse array of devices, exploiting vulnerabilities and gaining unauthorized access to user data across\r\ndifferent models and manufacturers.\r\nTarget brands\r\nMisleading Update Notification: The malware creates and displays a notification claiming that a new system update\r\nis available, using the NotificationUtils class. When the user taps on this notification, instead of being directed to an\r\nactual update, they are redirected to the notification settings for the malware app. This method utilizes misleading\r\nnotifications to confuse the user and create a false sense of legitimacy. By doing so, the malware maintains its control\r\non the device, avoiding user attempts to uninstall or disable it, and ensuring it remains undetected and persistent in its\r\nmalicious activities.\r\nCode snippet: NotificationUtils class\r\nRequest device administrator privileges: The RequestAdmin class is an Android activity designed to request device\r\nadministrator privileges. While it initiates the request process, the actual granting of admin permission is handled\r\nautomatically by the Accessibility Service. This is achieved by simulating user interactions, ensuring the request is\r\ncompleted without any direct user intervention.\r\nCode snippet: RequestAdmin\r\nThe malware is equipped with multiple permissions that significantly enhance its control over the infected device. It\r\ncan change the WiFi configuration, including connecting to and disconnecting from networks. It also has permission\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 24 of 32\n\nto execute code after the phone reboots, ensuring it remains active even after a restart. Additionally, the malware can\r\nperform phone calls in the background without user intervention. These permissions collectively enable the malware\r\nto maintain persistence, perform covert operations, and exert extensive control over the device.\r\nMalware Dynamics:\r\nWe executed this variant of SpyNote malware, which confirms our early analysis derived from the code examination of the\r\nmalware. As soon as the malware is installed, it disguises itself by adopting the name and icon of Avast Antivirus for\r\nAndroid:\r\nfake icon/name\r\nAs soon as the user clicks the icon, it opens a layout requesting the user to grant accessibility permissions for the malware:\r\nRequesting accessibility permission\r\nHowever, if the user grants accessibility permission due to trust in the malware, mistaking it for an antivirus, the Android\r\nsecurity mechanism will warn the user about the potential implications:\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 25 of 32\n\nImmediately after the user grants accessibility permission, SpyNote displays a processing window asking the user to wait\r\nwhile it obtains the necessary permissions in the background. It accomplishes this by simulating user gestures and inputs.\r\nThis activity can be detected by the multiple touch sounds produced by Android (if the touch sound option is enabled),\r\nindicating the enabling of various permissions:\r\nProcessing window: masking permissions granting\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 26 of 32\n\nEnabled permission using accessibility\r\nReviewing the “All Permissions” section for the malware confirms the permissions identified during the code analysis. This\r\nvalidation reinforces the comprehensive examination of the malware’s capabilities, demonstrating that it successfully grants\r\nitself extensive permissions to carry out a wide array of malicious activities on the device.\r\nSpyNote also disables the “Auto-Reset Permissions” option for itself, ensuring it retains control over the device without\r\ninterruption:\r\nUsing the accessibility service, SpyNote also excludes itself from battery optimization, ensuring it can run continuously in\r\nthe background without being restricted by power-saving measures:\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 27 of 32\n\nThe malware displays a continuous silent notification stating, “New system software is available, Tap to learn more”. When\r\nthe user clicks on this notification, it redirects them to the notification settings for the malware app rather than an actual\r\nupdate. This deceptive tactic maintains the malware’s presence on the device and misleads the user about its true intentions:\r\nPersistent silent notification\r\nActive self-defense: if the user attempts to modify the malware’s permissions, force stop the app, or access the Accessibility\r\nSettings on the device, the malware uses accessibility features to simulate user touch gestures, preventing the user from\r\nperforming these actions and escape to the home screen by simulating the ‘back’ action multiple times.\r\nThe malware employs the Uninstall class, utilizing the Accessibility Service to monitor and intercept system events related\r\nto app management and settings, with a specific focus on preventing its own removal. It checks for specific class names and\r\nkeywords associated with uninstallation processes. When it detects relevant activities, it simulates a ‘back’ action\r\n(performGlobalAction(1)) to prevent the user from proceeding with the uninstallation.\r\nHowever, the malware has a critical flaw in its code. A NullPointerException occurs because it attempts to invoke the\r\ntoString() method on a null CharSequence object. This error disrupts its functionality, preventing it from executing certain\r\nmalicious actions as intended. This shows that while the malware is sophisticated in its persistence mechanisms, it is not\r\nimmune to coding errors that can hinder its effectiveness.\r\nNullPointerException error\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 28 of 32\n\nSpyNote collects data, such as credentials on the external storage (sdcard), and deletes them later to remove traces. This\r\ntactic allows the malware to temporarily store sensitive information until it can be exfiltrated to its command-and-control\r\nserver, ensuring that minimal evidence is left on the device.\r\nNetwork communication:\r\nInitially, the malware attempts to establish a connection with the C2 server (45[.]94[.]31[.]96[:]7544) but receives no\r\nresponse. It then begins monitoring network traffic to check for an active internet connection. For each log shown below,\r\nsubsequent SYN requests are sent to the same IP address, indicating repeated attempts to re-establish a connection with the\r\nC2 server:\r\nLog snippet: network connection attempt\r\nSYN requests sent to C2 (45[.]94[.]31[.]96[:]7544)\r\nHowever, in this instance, there is no response from the IP address. This lack of response could mean that the C2 server is\r\noffline, and unreachable at the moment. Regardless, the attempt indicates the malware’s intent to reach out and perform\r\nactions based on the commands received from the C2 server.\r\nSpyNote Capabilities\r\nAnalyzing SpyNote RAT offers important insights into its operational features. Based on this analysis, the following points\r\nhighlight the capabilities of this information-stealing malware:\r\nEmploys obfuscation to evade analysis tools.\r\nDetects analysis environments.\r\nLeverages accessibility service permission for extensive device control.\r\nSimulates user gestures to silently grant itself additional permissions in the background.\r\nOperates continuously and restarts services if stopped.\r\nAvoids being flagged by disabling Google’s phishing detection.\r\nObfuscates data collection processes.\r\nCollects and stores credentials and sensitive data in external storage before deletion.\r\nTargets multiple brands with device-specific approaches for persistence.\r\nTargets Cryptocurrencies and Wallets.\r\nActively steals data from other applications.\r\nDefend itself from being uninstalled.\r\nPrevents users from altering permissions or force-stopping it.\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 29 of 32\n\nIt can download and install additional apps/malware on compromised devices.\r\nExfiltrates harvested data.\r\nConclusion\r\nThe comprehensive analysis of the SpyNote malware reveals its sophisticated capabilities and extensive range of malicious\r\nactivities. By leveraging obfuscation techniques, accessibility service permissions, and advanced methods for persistence\r\nand evasion, SpyNote demonstrates a high level of technical ingenuity aimed at stealing sensitive information, manipulating\r\nuser interactions, and maintaining control over compromised devices. Its ability to operate continuously, collect and\r\nexfiltrate data, and install additional malware or applications underscores the significant threat it poses.\r\nAs threats like SpyNote RAT continue to evolve, it is crucial for organizations to implement robust cybersecurity measures\r\nand proactive defense strategies. Users should exercise caution when opening files from untrusted sources or clicking on\r\nunfamiliar links, particularly those promoting dubious software or content. Additionally, employing strong cybersecurity\r\npractices – such as using reputable antivirus software, keeping all software up to date, and staying vigilant against social\r\nengineering attacks – can significantly enhance protection against sophisticated malware like SpyNote RAT.\r\nIndicators Of Compromise\r\nS/N Indicators Type Context\r\n1 214aad6338d607df7ec75a2c48af09d5 File Avastavv.apk\r\n2 94a3b1fc830323234f5ac6e69cf0840507c23e15bee5c8c3aa86fddaf61ef8b1 File Avastavv.apk\r\n3 avastop[.]com Domain Malware Source\r\n4 https[:]//avastop[.]com/Avastavv.apk URL Malware Source\r\n5 Avastxo[.]com Domain Malware Source\r\n6 Avastbk[.]com Domain Malware Source\r\n7 Avastpx[.]com Domain Malware Source\r\n8 Avastcsw[.]com Domain Malware Source\r\n9 Avastsf[.]com Domain Malware Source\r\n10 Avastsp[.]com Domain Malware Source\r\n11 Avastpy[.]com Domain Malware Source\r\n12 Avastwp[.]com Domain Malware Source\r\n13 Avastkb[.]com Domain Malware Source\r\n14 Avastxv[.]com Domain Malware Source\r\n15 Avastga[.]com Domain Malware Source\r\n16 Avastsgp[.]com Domain Malware Source\r\n17 Avastpst[.]com Domain Malware Source\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 30 of 32\n\n18 45.94.31[.]96\r\nIP\r\nAddress\r\nCommand \u0026\r\nControl (C2)\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nNo. Tactic Technique\r\n1   Initial Access (TA0027) T1660: Phishing\r\n2 Persistence (TA0028)\r\nT1624.001: Broadcast Receivers\r\nT1541: Foreground Persistence\r\n4 Privilege Escalation (TA00029) T1626.001: Device Administrator Permissions\r\n5 Defense Evasion (TA0030)\r\nT1628: Hide Artifacts\r\nT1628.002: User Evasion\r\nT1629: Impair Defenses\r\nT1406: Obfuscated Files or Information\r\nT1633: Virtualization/Sandbox Evasion\r\n6 Credential Access (TA0031) T1417: Input Capture\r\n7 Discovery (TA0032)\r\nT1430: Location Tracking\r\nT1422: Internet Connection Discovery\r\n  Collection (TA0035)\r\nT1517: Access Notifications\r\nT1429: Audio Capture\r\nT1616: Call Control\r\nT1414: Clipboard Data\r\nT1417: Input Capture\r\nT1636: Protected User Data\r\nT1513: Screen Capture\r\nT1512: Video Capture\r\n  Exfiltration (TA0036) T1646: Exfiltration Over C2 Channel\r\n  Impact (TA0034)\r\nT1516: Input Injection\r\nT1582: SMS Control\r\nYARA Rules\r\nrule SpyNote_RAT {\r\nmeta:\r\ndescription = “Detects SpyNote malware based on provided IoCs”\r\nauthor = “Cyfirma Research”\r\nversion = “1.0”\r\nstrings:\r\n$hash1 = “214aad6338d607df7ec75a2c48af09d5” // MD5 hash\r\n$hash2 = “94a3b1fc830323234f5ac6e69cf0840507c23e15bee5c8c3aa86fddaf61ef8b1” //SHA256 hash\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 31 of 32\n\n$url1 = https://avastop.com/Avastavv.apk\r\n$ url 2 = “avastxo.com/Avastavv.apk ”\r\n$ url 3 = “avastbk.com/Avastavv.apk ”\r\n$ url 4 = “avastpx.com/Avastavv.apk ”\r\n$ url 5 = “avastcsw.com/Avastavv.apk ”\r\n$ url 6 = “avastsf.com/Avastavv.apk ”\r\n$ url 7 = “avastsp.com/Avastavv.apk ”\r\n$ url 8 = “avastpy.com/Avastavv.apk ”\r\n$ url 9 = “avastwp.com/Avastavv.apk ”\r\n$ url 10 = “avastkb.com/Avastavv.apk ”\r\n$ url 11 = “avastxv.com/Avastavv.apk ”\r\n$ url 12 = “avastga.com/Avastavv.apk ”\r\n$ url 13 = “avastsgp.com/Avastavv.apk ”\r\n$ url 14 = “avastpst.com/Avastavv.apk ”\r\n$ip1 = “45.94.31.96”\r\ncondition:\r\nany of ($hash*) or ($url*) or $ip1\r\n}\r\nRecommendations\r\nImplement threat intelligence to proactively counter the threats associated with SpyNote RAT.\r\nTo protect the endpoints, use robust endpoint security solutions for real-time monitoring and threat detection, such as\r\nAntimalware security suit and host-based intrusion prevention system.\r\nContinuous monitoring of the network activity with NIDS/NIPS and using the web application firewall to filter/block\r\nsuspicious activity provides comprehensive protection from compromise due to encrypted payloads.\r\nConfigure firewalls to block outbound communication to known malicious IP addresses and domains associated with\r\nSpyNote RAT stealer command and control servers.\r\nImplement behavior-based monitoring to detect unusual activity patterns, such as suspicious processes attempting to\r\nmake unauthorized network connections.\r\nEmploy application whitelisting to allow only approved applications to run on endpoints, preventing the execution of\r\nunauthorized or malicious executables.\r\nConducting vulnerability assessment and penetration testing on the environment periodically helps in hardening the\r\nsecurity by finding the security loopholes followed by a remediation process.\r\nThe use of security benchmarks to create baseline security procedures and organizational security policies is also\r\nrecommended.\r\nDevelop a comprehensive incident response plan that outlines steps to take in case of a malware infection, including\r\nisolating affected systems and notifying relevant stakeholders.\r\nSecurity awareness and training programs help to protect from security incidents, such as social engineering attacks.\r\nOrganizations should remain vigilant and continuously adapt their defenses to mitigate the evolving threats posed by\r\nSpyNote RAT stealer malware.\r\nUpdate security patches which can reduce the risk of potential compromise.\r\nSource: https://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nhttps://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/\r\nPage 32 of 32",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cyfirma.com/research/spynote-unmasking-a-sophisticated-android-malware/"
	],
	"report_names": [
		"spynote-unmasking-a-sophisticated-android-malware"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434008,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4497dadce5f066011fe8fbbcc2101f082a7501df.pdf",
		"text": "https://archive.orkl.eu/4497dadce5f066011fe8fbbcc2101f082a7501df.txt",
		"img": "https://archive.orkl.eu/4497dadce5f066011fe8fbbcc2101f082a7501df.jpg"
	}
}