{
	"id": "3cd5f715-649f-4c4a-a9de-6b0febf3f2b2",
	"created_at": "2026-04-06T00:08:32.953803Z",
	"updated_at": "2026-04-10T13:12:02.915168Z",
	"deleted_at": null,
	"sha1_hash": "8b39d294521d0dd73c89c18f17591e184692fe42",
	"title": "Caught in the Act: Uncovering SpyNote in Unexpected Places",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9608854,
	"plain_text": "Caught in the Act: Uncovering SpyNote in Unexpected Places\r\nPublished: 2024-06-20 · Archived: 2026-04-02 11:11:38 UTC\r\nTABLE OF CONTENTS\r\nIntroductionWhat is SpyNote, and How Does it Operate?Our Discoveries: SpyNote Samples in\r\nOpenDirsTranslate.apkTemp_20Mail.apkpostbank.apkImpacts on Users and DevicesConclusion\r\nIntroduction\r\nIn hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the\r\nunguarded secrets of digital repositories. While sometimes mundane, these directories can occasionally reveal\r\nattention-grabbing discoveries.\r\nOur team recently unearthed multiple samples of SpyNote, a well-known spyware targeting Android devices,\r\ncleverly disguised as legitimate apps such as Google Translate, Temp Mail, Deutsche Postbank, and even an\r\napp supposedly meant to discourage intoxicated driving.\r\nThis finding highlights how innocuous-seeming servers can often host dangerous threats. To stay protected, apply\r\nfor a demo on Hunt and proactively access up-to-date threat information.\r\nWhat is SpyNote, and How Does it Operate?\r\nSpyNote is a sophisticated piece of malware that, as the name suggests, emphasizes spying on its victims. It has\r\nbecome a significant threat to Android users, especially after its source code was leaked in late 2022.\r\nThe spyware exploits accessibility services and device administrator privileges, allowing the malicious software to\r\nsteal sensitive information such as device location, contacts, SMS messages, etc.\r\nSpyNote samples routinely use deception, disguising itself by using legitimate app icons to trick users into\r\nbelieving it is a harmless application while silently collecting their data.\r\nFor further information on the technical analysis of SpyNote, check out the following articles:\r\nFortinet – Android/SpyNote Moves to Crypto Currencies\r\nMcAfee – Android SpyNote attacks electric and water public utility users in Japan\r\nThreatFabric – SpyNote: Spyware with RAT capabilities targeting Financial Institutions\r\nOur Discoveries: SpyNote Samples in OpenDirs\r\nThe Hunt platform provides hundreds of tags for known malware families and open-source tools in open\r\ndirectories, including SpyNote, as shown in Figure 1.\r\nhttps://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places\r\nPage 1 of 13\n\nFigure 1: Tags for SpyNote samples in open directories\r\nUsers can navigate directly to a page listing all the latest SpyNote samples hosted on misconfigured servers by\r\nclicking on any of these tags. In Figure 2, you’ll see that the historical data for discovered .apk files covers the\r\npast two months, providing an overview of the spyware’s recent activity. This tagging system ensures users can\r\nquickly track and analyze the presence of SpyNote and other threats across various open directories.\r\nhttps://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places\r\nPage 2 of 13\n\nFigure 2: Result of clicking on the SpyNote tags. Try it!\r\nLet's examine some particularly interesting samples we've found and their connections to Command and Control\r\n(C2) infrastructure.\r\nTranslate.apk\r\nThis directory, hosted on AWS at IP 18.219.97_209:8081, contained just three files: Google.apk, Translate.apk,\r\nand desktop.ini. Curiously, the first two files are identical, only differing in name.\r\nUpon installation, the app perfectly mirrors the legitimate Google Translate application, but a likely developer\r\nslip-up stands out. When requesting accessibility permissions, the instructions read “- Enable [MY-NAME],” a\r\nplaceholder that should have been replaced. This error is shown in Figure 3.\r\nhttps://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places\r\nPage 3 of 13\n\nhttps://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places\r\nPage 4 of 13\n\nFigure 3: Accessibility services request screen (Source: Hatching Triage)\r\nAt the same time, the malicious app starts making network requests to its C2, kyabhai.duckdns_org, hosted on\r\nthe same IP address at port 8080.\r\nDirectory Details\r\nOpen Directory \u0026 C2 IP: 18.219.97_209:8081\r\nGooge.apk \u0026 Translate.apk SHA-1 hash: 3aad911b21907053a69b49086a6396c50714accb\r\nC2 domain: kyabhai.duckdns_org:8080\r\nTriage Link: https://tria.ge/240617-lwchbavhme\r\nFigure 4: File metadata for Translate.apk (Source: Hatching Triage Sandbox )\r\nTemp_20Mail.apk\r\nhttps://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places\r\nPage 5 of 13\n\nMoving on, we explored an open directory hosted by SonderCloud Limited at IP 156.245.13_61:8000. This\r\ndirectory not only contained several SpyNote APKs but also hosted Cobalt Strike and Sliver binaries targeting the\r\nWindows operating system.\r\nAmong these, a file named \"Temp_20Mail.apk\" caught our eye. This file disguises itself as the legitimate Temp\r\nMail app, which allows users to generate disposable email addresses. However, unlike the previous samples, once\r\ninstalled, this program begins beaconing to the C2 IP address 156.245.20_17:7771.\r\nFigure 5 displays the malicious app using the legitimate icon, while Figure 6 shows the Temp Mail app on the\r\nGoogle Play Store.\r\nhttps://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places\r\nPage 6 of 13\n\nhttps://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places\r\nPage 7 of 13\n\nFigure 5: Screenshot of the malicious Temp Mail application\r\nFigure 6: Legitimate Temp Mail app in the Google Play Store\r\nAdditional information on the C2 was limited, but we did discover that the IP recently resolved to two domains:\r\ngw.585822_vip and nerjowmqw_com.\r\nDirectory Details\r\nOpen Directory: 156.245.13_61:8000\r\nC2: 156.245.20_17:7771\r\nTemp_20Mail.apk SHA-1 hash: 5b9bfa06d05172f61d1ee19724fcd12cec110353\r\nTriage Link: https://tria.ge/240617-l875rawdph/behavioral2\r\nhttps://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places\r\nPage 8 of 13\n\nFigure 7: Metadata for Temp_20Mail.apk (Source: Hatching Triage Sandbox)\r\npostbank.apk\r\nThe following file masquerades as an app for the German bank Post Bank. This app communicates with the\r\ndomain oebonur600.duckdns_org, which resolves to IP address 95.214.177_114 on port 3210 in a pattern that's\r\nbecoming alarmingly familiar.\r\nA screenshot of the app during dynamic analysis is provided in Figure 8, showcasing its deceptive interface.\r\nhttps://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places\r\nPage 9 of 13\n\nhttps://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places\r\nPage 10 of 13\n\nFigure 8: Screenshot of postbank.apk during dynamic analysis (Source: Hatching Triage Sandbox )\r\nThe C2 is hosted on Cloudflare London at the Yusuf Kemal TURKMENOGLU ASN.\r\nFigure 9: IP Overview for C2 in Hunt\r\nIn late May 2024, a web page hosted on port 80 of the C2 contained the defacement message \"HACKED BY\r\nPersoDev.\" This page included a JavaScript script that turned off the right-click context menu and displayed an\r\nhttps://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places\r\nPage 11 of 13\n\nalert message. Additionally, it featured CSS to alter the opacity of images with a hover effect.\r\nWe don’t believe the two are related, but it is an interesting finding.\r\nFigure 10: Screenshot of ports and protocols for the associated IP in Hunt. Try it out!\r\nDirectory Details\r\nOpen Directory \u0026 C2 IP: 5.252.74.45_443\r\npostbank.apk SHA-1 hash: dc9a821f1e061098188503dbf7518bf263334fcd\r\nC2 domain: oebonur600.duckdns_org\r\nTriage Link: https://tria.ge/240617-mhv8yawgqb\r\nImpacts on Users and Devices\r\nThe discovery of SpyNote samples in open directories poses significant risks to users, as these malicious files\r\nutilize additional infrastructure, including dynamic domains, for data exfiltration.\r\nOnce infected, users' sensitive information can be continuously siphoned to ever-changing locations, making\r\ndetection and mitigation more challenging.\r\nConclusion\r\nhttps://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places\r\nPage 12 of 13\n\nThe SpyNote samples we've discussed show how even everyday apps like Google Translate and Temp Mail can be\r\nrepurposed for malicious intent. These examples are just a handful of the over 40 SpyNote APKs available in\r\nHunt, with many more likely operating undetected and stealing sensitive information.\r\nTo stay ahead of these threats, apply for a free demo of Hunt. Track and analyze numerous threats identified in\r\nopen directories, analyze the infrastructure of over 80 malware families, and effectively protect your digital\r\nenvironment.\r\nSource: https://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places\r\nhttps://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places\r\nPage 13 of 13\n\npostbank.apk The following file masquerades as an app for the German bank Post Bank. This app communicates with the\ndomain oebonur600.duckdns_org,  which resolves to IP address 95.214.177_114 on port 3210 in a pattern that's\nbecoming alarmingly familiar.    \nA screenshot of the app during dynamic analysis is provided in Figure 8, showcasing its deceptive interface.\n   Page 9 of 13  \n\nThe C2 is hosted Figure 9: IP Overview on Cloudflare London for C2 in Hunt at the Yusuf Kemal TURKMENOGLU ASN.  \nIn late May 2024, a web page hosted on port 80 of the C2 contained the defacement message \"HACKED BY\nPersoDev.\" This page included a JavaScript script that turned off the right-click context menu and displayed an\n   Page 11 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places"
	],
	"report_names": [
		"caught-in-the-act-uncovering-spynote-in-unexpected-places"
	],
	"threat_actors": [],
	"ts_created_at": 1775434112,
	"ts_updated_at": 1775826722,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b39d294521d0dd73c89c18f17591e184692fe42.pdf",
		"text": "https://archive.orkl.eu/8b39d294521d0dd73c89c18f17591e184692fe42.txt",
		"img": "https://archive.orkl.eu/8b39d294521d0dd73c89c18f17591e184692fe42.jpg"
	}
}