{
	"id": "5a68a08f-0eb9-4308-ac81-68298cd6fd7a",
	"created_at": "2026-04-06T00:19:19.646337Z",
	"updated_at": "2026-04-10T03:30:33.554683Z",
	"deleted_at": null,
	"sha1_hash": "4af57b248365f5eec16d56dbbf9ac1c2152d4461",
	"title": "Android/SpyNote bypasses Restricted Settings + breaks many RE tools",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 648195,
	"plain_text": "Android/SpyNote bypasses Restricted Settings + breaks many RE tools\r\nBy @cryptax\r\nPublished: 2024-02-19 · Archived: 2026-04-05 23:12:27 UTC\r\n5 min read\r\nFeb 19, 2024\r\nToday, I reversed an Android spyware with multiple tricks. The malware has been discovered by @malwrhunterteam 2 days\r\nago.\r\nAbstract\r\nThe malware bypasses Android 13 Restricted Settings by using a session-based package installer to load a second\r\n(malicious) APK, which is stored locally in the assets.\r\nThe second APK uses a malformed ZIP which breaks most automatic unzipping tools. It is packed with\r\nJsonPacker but, because of bad ZIP, the payload must be retrieved more or less manually.\r\nThe malicious payload reveals an obfuscated SpyNote sample, with anti-emulation detection.\r\nThe malware poses as an OnlyFans app for adult content. It has the interesting package name of “tiramisudropper”.\r\nUnfortunately, we won’t get any Tiramisu, only a malicious payload 😢\r\nWhen launched, it displays an activity which suggests to update the application (layout d ). In reality, no update nor\r\ndownload occurs: the malware embeds another APK ( assets/child.apk ) and installs it.\r\nhttps://cryptax.medium.com/android-spynote-bypasses-restricted-settings-breaks-many-re-tools-8791b3e6bf38\r\nPage 1 of 7\n\nThe activity says “Update the application OnlyFans? To continue using OnlyFans, you need to update the\r\napplication”. Note that hitting the submit button does not go to Google Play. The malicious APK is embedded\r\nin the wrapping one.\r\nBypassing Android 13 Restricted Settings\r\nAs you may know, Android’s Accessibility API is massively abused by malware to perform any kind of task on the victim’s\r\nphone (swipe, steal password, record unlock gestures, display overlays…). Google addressed this with Restricted Settings in\r\nAndroid 13. Unfortunately, this can be bypassed by using a session-based package installer, which is what the malware does.\r\npublic final void onCreate(Bundle bundle0) {\r\n super.onCreate(bundle0);\r\n this.setContentView(0x7F0D001D);\r\n PackageInstaller.Session packageInstaller$Session0 = null;\r\n try {\r\n \r\n PackageInstaller packageInstaller0 = this.getPackageManager().getPackageInstaller();\r\n packageInstaller$Session0 = packageInstaller0.openSession(packageInstaller0.createSession(new Pack\r\n this.a(packageInstaller$Session0);\r\n...\r\n}\r\npublic final void a(PackageInstaller.Session packageInstaller$Session0) {\r\n InputStream inputStream0;\r\n \r\n OutputStream outputStream0 = packageInstaller$Session0.openWrite(\"package\", 0L, -1L);\r\n try {\r\n inputStream0 = this.getAssets().open(\"child.apk\");\r\n }\r\nhttps://cryptax.medium.com/android-spynote-bypasses-restricted-settings-breaks-many-re-tools-8791b3e6bf38\r\nPage 2 of 7\n\n...\r\n}\r\nThe technique of using a session-based installer is not new and has already been seen in other malware such as\r\nSecuriDropper. However, it is the first time I see it used to install a local APK (in conjunction with openWrite ), usually the\r\nAPK is downloaded from a remote malicious server.\r\nMalformed ZIP\r\nThe child APK is malformed so that a careless unzip creates directories that overwrite important files with the same name,\r\ne.g. AndroidManifest.xml and classes.dex.\r\nPress enter or click to view image in full size\r\nThe APK unzips with a directory named classes.dex. But that’s the reserved name for the application’s Dalvik\r\nExecutable file… This causes unzipping issues.\r\nThe technique has already been seen last week in Android/SpyNote.\r\nPacked with JsonPacker\r\nWhile the previous technique is not extremely advanced and can be fixed by manually renaming overwritten files, it is\r\nsufficient to break numerous automatic tools such as Apktool, DroidLysis, JADX, Kavanoz…\r\nPress enter or click to view image in full size\r\napktool processes the APK with multiple errors.\r\nThe APK is packed with JsonPacker. In theory, Kavanoz can unpack these without any problem, but because of the\r\nmalformed ZIP it breaks before. So, I unpack with my unpacking script, jsondecrypt.py . For that, we need to find the\r\nencrypted JSON and the decryption key.\r\nGet @cryptax’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://cryptax.medium.com/android-spynote-bypasses-restricted-settings-breaks-many-re-tools-8791b3e6bf38\r\nPage 3 of 7\n\nBoth are spotted in the custom Application class (thanks to JEB for automatic decryption) : the JSON filename is\r\n./assets/iAQGL.json and the key is wke .\r\npackage com.define.speed;\r\npublic class TKcUaBaNq extends Application {\r\n public TKcUaBaNq() {\r\n this.ARlZmOuPhLkSyYbBxNhGzOyFqPuNbAoXtEfNrYb = null;\r\n this.XZjOzKeFjUfExAdEfUyLnGoCzXoGzZrYcJuGeYhSbYoPhEpMsEg = \"DynamicOptDex\";\r\n this.NXmQpTsPhCtKeCmEpYp = \"iAQGL.json\";\r\n this.NRlOrXhHqYeQxRbWkOgRfZnLaRyMtTd = 0;\r\n...\r\n this.EIbBgThAbWtIxNqDxWnKbHtNpTbFkQl = \"wke\";\r\nWe unpack and find the payload classes.dex (sha256:\r\nf37d7b0ce5fcb839f6ce181b751d9d149c4a9a8e568d8f1881f887b3770df3ab )\r\n$ python3 jsondecrypt.py -i ./iAQGL.json -k wke\r\n$ unzip unpacked.zip\r\nArchive: unpacked.zip\r\n inflating: classes.dex\r\nMalicious Payload\r\nWe can now get into the malicious payload. The main activity is named\r\ncarlo.dispatch.dktgfybenxphkfoqxhjzdqnsulaesmgnmhcobenogkwhkniuqs2.hlokjraiblierqbrrangfuwfxtxkomwsfgqlaorjhghsdvbgel6SJ\r\n— not as nice as TiramisuDropper 😉.\r\nAnti-emulation\r\nThe malware detects standard Android emulators and other emulators such as Genymotion.\r\n private boolean isEmu_DIV_ID_lator() {\r\n return (Build.BRAND.startsWith(\"generic\"))\r\n \u0026\u0026 (Build.DEVICE.startsWith(\"generic\"))\r\n || (Build.FINGERPRINT.startsWith(\"generic\"))\r\n || (Build.FINGERPRINT.startsWith(\"unknown\"))\r\n || (Build.HARDWARE.contains(\"goldfish\"))\r\n || (Build.HARDWARE.contains(\"ranchu\"))\r\n || (Build.MODEL.contains(\"google_sdk\"))\r\n || (Build.MODEL.contains(\"Emulator\"))\r\n || (Build.MODEL.contains(\"Android SDK built for x86\"))\r\n || (Build.MANUFACTURER.contains(\"Genymotion\"))\r\n || (Build.PRODUCT.contains(\"sdk_google\"))\r\n || (Build.PRODUCT.contains(\"google_sdk\"))\r\n || (Build.PRODUCT.contains(\"sdk\"))\r\n || (Build.PRODUCT.contains(\"sdk_x86\"))\r\n || (Build.PRODUCT.contains(\"sdk_gphone64_arm64\"))\r\n || (Build.PRODUCT.contains(\"vbox86p\"))\r\n || (Build.PRODUCT.contains(\"emulator\"))\r\n || (Build.PRODUCT.contains(\"simulator\"));\r\n }\r\nThis can be bypassed during analysis with an adequate Frida hook. Actually, we don’t even need it because anti-emulation is\r\nonly enabled if the Anti_emu function below returns True. By chance, this is not the case, because the default value for\r\nhttps://cryptax.medium.com/android-spynote-bypasses-restricted-settings-breaks-many-re-tools-8791b3e6bf38\r\nPage 4 of 7\n\nCheckemu is increasingc1 .\r\n public static boolean Anti_emu() {\r\n return hlokjraiblierqbrrangfuwfxtxkomwsfgqlaorjhghsdvbgel6xGgwo137.Checkemu == \"NOEMO\";\r\n }\r\nObfuscation\r\nPress enter or click to view image in full size\r\nThe code contains lots of junk code. This particular screenshot is taken from an activity named\r\nhlokjraiblierqbrrangfuwfxtxkomwsfgqlaorjhghsdvbgel6CWhPr69 and will just iterate once and break out of\r\nthe loop. This has absolutely no use, except to confuse the analyst.\r\nAccessibility\r\nIt is no surprise that the malware requests the end-user to enable Accessibility API. This is possible without restriction\r\nbecause Restricted Settings were bypassed during installation.\r\nhttps://cryptax.medium.com/android-spynote-bypasses-restricted-settings-breaks-many-re-tools-8791b3e6bf38\r\nPage 5 of 7\n\nThe malicious payload asks the end-user to enable Accessibility for the application.\r\nThe Accessibility API is handled by the service\r\ncarlo.dispatch.dktgfybenxphkfoqxhjzdqnsulaesmgnmhcobenogkwhkniuqs2.hlokjraiblierqbrrangfuwfxtxkomwsfgqlaorjhghsdvbgel6nS\r\nIt reveals the typical behavior of an Android/SpyNote spyware. For example, the following code clicks on given coordinates.\r\nPress enter or click to view image in full size\r\nThe remote servers sends a configuration which may contain commands such as “clk” or “hold”. The\r\nimplementation shows how this clicks (or long click) on a given point of the screen.\r\nBc: press (global) button BACK\r\nHo: ensures that the screen is on and presses the HOME button\r\nRc: press (global) button RECENT\r\nSK2 or SK: monitors the screenshot directory and performs the global action GLOBAL_ACTION_TAKE_SCREENSHOT .\r\nLK: locks the screen by global action GLOBAL_ACTION_LOCK_SCREEN .\r\nhttps://cryptax.medium.com/android-spynote-bypasses-restricted-settings-breaks-many-re-tools-8791b3e6bf38\r\nPage 6 of 7\n\nThe remote server is 95.174.67.245 on port 7744.\r\nSpyNote has numerous functionalities, and its full protocol is long to reverse. If I have time, I’ll post that in another blog\r\npost… 😴.\r\nIOC\r\n46553a5db767a8b570e9d11bfe39e4817839daa534f2b5cedf54b72b2e735478 — OnlyFans.apk\r\nba69178e065c3bc762e3c0066edcb6fcf48cad558e78eb2da4913a03d8244e87 child.apk\r\nf37d7b0ce5fcb839f6ce181b751d9d149c4a9a8e568d8f1881f887b3770df3ab — payload\r\n— the Crypto Girl\r\nSource: https://cryptax.medium.com/android-spynote-bypasses-restricted-settings-breaks-many-re-tools-8791b3e6bf38\r\nhttps://cryptax.medium.com/android-spynote-bypasses-restricted-settings-breaks-many-re-tools-8791b3e6bf38\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cryptax.medium.com/android-spynote-bypasses-restricted-settings-breaks-many-re-tools-8791b3e6bf38"
	],
	"report_names": [
		"android-spynote-bypasses-restricted-settings-breaks-many-re-tools-8791b3e6bf38"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434759,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4af57b248365f5eec16d56dbbf9ac1c2152d4461.pdf",
		"text": "https://archive.orkl.eu/4af57b248365f5eec16d56dbbf9ac1c2152d4461.txt",
		"img": "https://archive.orkl.eu/4af57b248365f5eec16d56dbbf9ac1c2152d4461.jpg"
	}
}