{
	"id": "618763c0-4f98-4d71-9f8e-9f6ce52ed6c7",
	"created_at": "2026-04-06T00:07:58.518341Z",
	"updated_at": "2026-04-10T03:30:32.958376Z",
	"deleted_at": null,
	"sha1_hash": "478513f6231fd0f569cfe4d24df42e6aad607228",
	"title": "SpyNote RAT posing as Netflix app | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1513138,
	"plain_text": "SpyNote RAT posing as Netflix app | Zscaler Blog\r\nBy Shivang Desai\r\nPublished: 2017-01-23 · Archived: 2026-04-05 21:52:52 UTC\r\nWatch on Fox News: Hackers may use fake Netflix app to spy on users\r\nAs users have become more attached to their mobile devices, they want everything on those devices. There’s an\r\napp for just about any facet of one’s personal and professional life, from booking travel and managing projects, to\r\nbuying groceries and binge-watching the latest Netflix series.\r\nThe iOS and Android apps for Netflix are enormously popular, effectively turning a mobile device into a\r\ntelevision with which users can stream full movies and TV programs anytime, anywhere. But the apps, with their\r\nmany millions of users, have captured the attention of the bad actors, too, who are exploiting the popularity of\r\nNetflix to spread malware.\r\nRecently, the ThreatLabZ research team came across a fake Netflix app, which turned out to be a new variant of\r\nSpyNote RAT (Remote Access Trojan).\r\nSpyNote RAT is capable of performing a variety of alarming functions that includes:\r\nActivating the device’s microphone and listening to live conversations\r\nExecuting commands on the device\r\nCopying files from the device to a Command \u0026 Control (C\u0026C) center\r\nRecording screen captures\r\nhttps://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app\r\nPage 1 of 8\n\nViewing contacts\r\nReading SMS messages\r\nThe screenshot below shows part of the sandbox’s report on the SpyNote RAT’s signature and detected functions:\r\nFigure 1 : Zscaler Cloud Sandbox Detection\r\nThe fake Netflix app we are analyzing in this blog appears to be built using an updated version of SpyNote RAT\r\nbuilder, which was leaked last year.\r\nTechnical details \r\nPlease note that our research is not about the legitimate Netflix app on Google Play.\r\nThe spyware in this analysis was portraying itself as the Netflix app. Once installed, it displayed the icon found in\r\nthe actual Netflix app on Google Play.\r\nhttps://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app\r\nPage 2 of 8\n\nFigure 2: Fake Netflix vs. legitimate Netflix\r\nAs soon as the user clicks the spyware’s icon for the first time, nothing seems to happen and the icon disappears\r\nfrom the home screen. This is a common trick played by malware developers, making the user think the app may\r\nhave been removed. But, behind the scenes, the malware has not been removed; instead it starts preparing its\r\nonslaught of attacks.\r\nFor contacting C\u0026C, the spyware was found to be using free DNS services, as shown in the screenshot below:\r\nFigure 3: Server details\r\nSpyNote RAT uses an unusual trick to make sure that it remains up and running and that the spying does not stop.\r\nIt does so using the Services, Broadcast Receivers, and Activities components of the Android platform.\r\nhttps://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app\r\nPage 3 of 8\n\nServices can perform long-running operations in the background and does not need a user interface. Broadcast\r\nReceivers are Android components that can register themselves for particular events. Activities are key building\r\nblocks, central to an app’s navigation, for example.\r\nThe SpyNote RAT registers a service called AutoStartup and a broadcast receiver named BootComplete. \r\nMainActivity registers BootComplete with a boot event, so that whenever the device is\r\nbooted, BootComplete gets triggered.\r\nBootComplete starts the AutoStartup service and the AutoStartup service makes sure that MainActivity is always\r\nrunning.\r\nWhat follows are some of the features exhibited by SpyNote RAT.\r\nCommand execution\r\nCommand execution can create havoc for victim if the malware developer decides to execute commands in the\r\nvictim’s device. Leveraging this feature, the malware developer can root the device using a range of\r\nvulnerabilities, well-known or zero-day.\r\nThe following screenshot shows the command execution functionality in action:\r\n \r\nFigure 4: Command Execution\r\nThe paramString parameter shown in the above screenshot can be any command received from C\u0026C.\r\nScreen capture and audio recording \r\nSpyNote RAT was able to take screen captures and, using the device’s microphone, listen to audio conversations.\r\nThis capability was confirmed when the Android permission, called android.permission.RECORD_AUDIO, was\r\nbeing requested along with code found in the app.\r\nhttps://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app\r\nPage 4 of 8\n\nSpyNote RAT captured the device’s screen activities along with audio using the\r\n MediaProjectionCallback functionality (available with Lollipop, the Android 5.0 release, and later) and saved the\r\noutput in a file named \"video.mp4\" as shown in the following screenshot:\r\nFigure 5 : Output File\r\nSMS stealing \r\nSpyNote RAT was also observed stealing SMS messages from the affected devices, as shown in screenshot below:\r\nFigure 6: Reading SMS messages\r\nStealing contacts\r\nhttps://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app\r\nPage 5 of 8\n\nThe ability to steal contacts is a favorite feature for spyware developers, as the stolen contacts can be used to\r\nfurther spread the spyware.\r\nThe following screenshot shows the contacts being stolen and written in a local array, which is  then sent to C\u0026C:\r\nFigure 7: Stealing and writing contacts\r\nUninstalling apps\r\nUninstalling apps is another function favored by developers of Android spyware and malware. They tend to target\r\nany antivirus protections on the device and uninstall them, which increases the possibility of their malware\r\npersisting on the device. Following screenshot shows this functionality in action:\r\nFigure 8: Uninstalling functionality\r\nOther functions\r\nhttps://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app\r\nPage 6 of 8\n\nIn addition to the functionalities we’ve described, the SpyNote RAT was exhibiting many other behaviors that\r\nmake it more robust than most off-the-shelf malware.\r\nSpyNote RAT was designed to function only over Wi-Fi, which is the preferable mode for Android malware to\r\nsend files to C\u0026C.\r\nThe screenshot below shows SpyNote RAT scanning for Wi-Fi and enabling it if a known channel is found:\r\nFigure 9 : Scanning Wi-Fi\r\nAdditional features\r\n- SpyNote RAT could click photos using the device's camera, based on commands from C\u0026C.\r\n- There were two interesting sub-classes found inside Main Activity: Receiver and Sender. Receiver was involved\r\nin receiving commands from the Server and the  main functionality of Sender was to send all the data collected to\r\nthe C\u0026C over Wi-Fi.\r\n- SpyNote RAT was also collecting the device’s location to identify the exact location of the victim.\r\nSpyNote RAT builder\r\nThe SpyNote Remote Access Trojan (RAT) builder is gaining popularity in the hacking community, so we decided\r\nto study its pervasiveness. What we found were several other fake apps developed using the SpyNote builder,\r\nwhich should come as a warning to Android users. Some of the targeted apps were:\r\nWhatsapp\r\nYouTube Video Downloader\r\nGoogle Update\r\nInstagram\r\nHack Wifi\r\nAirDroid\r\nhttps://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app\r\nPage 7 of 8\n\nWifiHacker\r\nFacebook\r\nPhotoshop\r\nSkyTV\r\nHotstar\r\nTrump Dash\r\nPokemonGo\r\nWith many more to come.\r\nFurthermore, we found that in just the first two weeks of 2017, there have been more than 120 such spyware\r\nvariants already built using the same SpyNote Trojan builder as SpyNote RAT and roaming in the wild. A\r\ncomplete list of sample hashes is available here. \r\nConclusion \r\nThe days when one needed in-depth coding knowledge to develop malware are long gone. Nowadays, script\r\nkiddies can build a piece of malware that can create real havoc. Moreover, there are many toolkits like the\r\nSpyNote Trojan builder that enable users to build malware with ease and few clicks.\r\nIn particular, avoid side-loading apps from third-party app stores and avoid the temptation to  play games that are\r\nnot yet available on Android. Yes, we are talking about SuperMarioRun, which was recently launched by\r\nNintendo only for iOS users. Recent blogs by the Zscaler research team explain how some variants of Android\r\nmalware are exploiting the popularity of this game and tricking Android users into downloading a fake version.\r\n(Have a look here and here.)\r\nYou should also avoid the temptation to play games from sources other than legitimate app stores; such games are\r\nnot safe and may bring harm to your reputation and your bank account.\r\nZscaler users are protected from such attacks with multiple levels of security.\r\nSource: https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app\r\nhttps://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"ETDA"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
	],
	"report_names": [
		"spynote-rat-posing-netflix-app"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434078,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/478513f6231fd0f569cfe4d24df42e6aad607228.pdf",
		"text": "https://archive.orkl.eu/478513f6231fd0f569cfe4d24df42e6aad607228.txt",
		"img": "https://archive.orkl.eu/478513f6231fd0f569cfe4d24df42e6aad607228.jpg"
	}
}