{
	"id": "29158782-cb9c-4410-bfbc-1773c5eb8c0a",
	"created_at": "2026-04-06T00:21:33.555985Z",
	"updated_at": "2026-04-10T03:21:03.432837Z",
	"deleted_at": null,
	"sha1_hash": "44be425ed4cb27d482db488fcefed32393ceccaa",
	"title": "Android/SpyNote Moves to Crypto Currencies | FortiGuard Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1287323,
	"plain_text": "Android/SpyNote Moves to Crypto Currencies | FortiGuard Lab\r\nBy Axelle Apvrille\r\nPublished: 2024-02-15 · Archived: 2026-04-05 21:58:30 UTC\r\nAffected Platform: Android\r\nImpacted Users: Android users with mobile crypto wallet or banking applications\r\nImpact: Financial Loss\r\nSeverity Level: Medium\r\nSpynote is a Remote Access Trojan that initially surfaced in 2020. Since then, it has grown into one of the most\r\ncommon families of malware for Android, with multiple samples, integration of other RATs (e.g. CypherRat), and a\r\nlarge family of over 10,000 samples. There are multiple variants and integrations of other RATs, and since 2023 there\r\nhas been a growing interest in financial institutions.\r\nOn February 1st, we found a malicious sample posing as a legitimate crypto wallet that actually included the SpyNote\r\nRAT with several interesting additions related to anti-analysis and cryptocurrencies.\r\nAccessibility API for Crypto Wallet injections\r\nLike much Android malware today, this malware abuses the Accessibility API. This API is used to automatically\r\nperform UI actions. For example, the malicious sample uses the Accessibility API to record device unlocking gestures.\r\nNewer, this SpyNote sample uses the Accessibility API to target famous crypto wallets.\r\nThe following code recognizes the use of a legitimate crypto wallet and displays an overlay over it.\r\nThe injected overlay consists of a WebView whose HTML is hard-coded in Base64.\r\nhttps://www.fortinet.com/blog/threat-research/android-spynote-moves-to-crypto-currencies\r\nPage 1 of 5\n\nIf we decode the overlay, we get an HTML page for cryptocurrency transfers. Notice that the page apparently\r\ninitiates a transfer between 2 hard-coded fake wallets. See below: the “…” in between the alleged wallet addresses are\r\nexactly as in the code (note that we censored the full addresses). For the malware analyst, it’s obvious they are fake. \r\nHowever, it is likely the victim won’t notice because (1) the wallet identifiers always have many characters and are\r\ntherefore difficult to verify, and (2) this will look as if it were displayed by the victim’s legit crypto wallet application\r\n(in reality, it is displayed over the real crypto wallet app, but this is not detectable).\r\nIn addition, the malicious code uses the Accessibility API to automatically fill a form and transfer a given amount\r\nof cryptocurrency to the cybercriminals. Precisely, the code performs the following tasks:\r\n1. Reads and memorizes the destination wallet address (field input_value)\r\n2. Reads and memorizes the amount (field input_general_amount)\r\n3. Modifies the destination address and replaces it with the attacker’s crypto wallet address\r\n(initializeService.usdtadress). This address is sent by the remote server the malware communicates with.\r\n4. Clicks on Max (action_max). This option requests to send the full amount, not a portion.\r\n5. Clicks on the Next/Continue button\r\nhttps://www.fortinet.com/blog/threat-research/android-spynote-moves-to-crypto-currencies\r\nPage 2 of 5\n\nAll of these operations are performed automatically through the Accessibility API without the user’s intervention.\r\nPermissions for the Accessibility API\r\nTo gain access to the Accessibility API, all malware lure victims one way or another into giving them the necessary\r\nrights. This sample follows the same strategy. We remind end-users that they should never do this. While the\r\nAccessibility API is rightfully requested by apps to help people with disabilities, they should always be treated as\r\nhighly suspicious coming from alleged crypto wallets, PDF Readers, Video Players, etc.\r\nThe 2 screenshots below show (1) the SpyNote malware requesting Accessibility Service and (2) how, when you grant\r\nthe desired access, the Android OS displays an additional warning window explaining the risks. It is still possible at\r\nthat point to click on “Deny,” and the malware won’t gain access.\r\nhttps://www.fortinet.com/blog/threat-research/android-spynote-moves-to-crypto-currencies\r\nPage 3 of 5\n\nUnfortunately, as soon as the victim clicks on “Allow,” it is basically “game over” because the malware can navigate,\r\nclick, read, and modify any application.\r\nAnti-analysis\r\nBesides injections into crypto wallets, the sample features an interesting, simple, but efficient anti-analysis technique.\r\nWe remind users that Android Packages (APK) are ZIP files and normally contain a Dalvik executable (classes.dex), a\r\nmanifest (AndroidManifest.xml), resources, and assets. In this particular case, the sample is malformatted: several\r\nresource files are meant to be present in the subdirectories of classes.dex and AndroidManifest.xml.\r\nhttps://www.fortinet.com/blog/threat-research/android-spynote-moves-to-crypto-currencies\r\nPage 4 of 5\n\nBut classes.dex and AndroidManifest.xml are files, not directories. Consequently, standard unzip tools fail with lots of\r\nerrors, which complicates the automated analysis of the sample.\r\nConclusion\r\nAfter a growing interest in financial institutions, this new Android/SpyNote sample shows that malware authors\r\nare now taking into account cryptocurrencies. The capabilities of the malware are well beyond the mere spying of\r\ncredentials as they can initiate cryptocurrency transfers.\r\nAs for anti-analysis, while the implemented technique is simple and by-passable by a human analyst, it certainly\r\ndefeats—or complicates—automated analysis, giving the malware author a little more time before detection.\r\nThe sample is detected automatically by our products, and we urge Android users to pay particular attention to any\r\napplication requesting the Accessibility API.\r\nFortinet Protections\r\nFortinet customers are already protected from this malware variant through our AntiVirus as follows: FortiGuard Labs\r\ndetects the sample with the following AV signatures:\r\nAndroid/SpyNote.F!tr\r\nThe FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP\r\ncustomers running current AntiVirus updates are also protected.\r\nIOCs\r\nFile Hash Detection\r\nImtoken.apk\r\nSHA1: 8eea235b26fadeecd0f817433c97747853c51a24\r\nSHA256:\r\ncaac4681389b0af7998ba8fd2062d18050a0e5e8cb4c8d0006a1b3a921ee52c8\r\nAndroid/SpyNote.F!tr\r\nSource: https://www.fortinet.com/blog/threat-research/android-spynote-moves-to-crypto-currencies\r\nhttps://www.fortinet.com/blog/threat-research/android-spynote-moves-to-crypto-currencies\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/android-spynote-moves-to-crypto-currencies"
	],
	"report_names": [
		"android-spynote-moves-to-crypto-currencies"
	],
	"threat_actors": [],
	"ts_created_at": 1775434893,
	"ts_updated_at": 1775791263,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/44be425ed4cb27d482db488fcefed32393ceccaa.pdf",
		"text": "https://archive.orkl.eu/44be425ed4cb27d482db488fcefed32393ceccaa.txt",
		"img": "https://archive.orkl.eu/44be425ed4cb27d482db488fcefed32393ceccaa.jpg"
	}
}