{
	"id": "6274213b-ef54-40c2-ba75-bcb1186367e0",
	"created_at": "2026-04-06T00:09:57.816156Z",
	"updated_at": "2026-04-10T03:30:33.319203Z",
	"deleted_at": null,
	"sha1_hash": "c94138d3ff1ef0daa2ff920bb9c165f2a7e4428d",
	"title": "Take a note of SpyNote malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59125,
	"plain_text": "Take a note of SpyNote malware\r\nBy Amit Tambe\r\nPublished: 2025-02-23 · Archived: 2026-04-05 16:54:18 UTC\r\nThe Android threat landscape is fraught with diverse types of malware, each bringing its own ingenuity to the\r\nfield. Although each piece of Android malware has its own malicious agenda, the typical objective in most cases is\r\nto steal user data, especially personal data that can be used for nefarious purposes or even sold later. Based on the\r\nagenda alone, certain malware can be classified as spyware, because their sole objective is to spy on users by\r\nstealing as much user data as possible, and for as long as possible while staying hidden. This is slightly different\r\nthan the objective of infostealers — which is, typically, to steal user credentials and credit card information for\r\nresale.\r\nAmong noteworthy spyware, one that has been in the limelight recently is SpyNote. This spyware app spreads via\r\nsmishing (i.e. malicious SMS messages) by urging the victims to install the app from provided links. Naturally,\r\nthe hosting and downloading happen outside of the official Play Store app, to prevent the security evaluation done\r\nby Google Play Store from thwarting the spread of this spyware.\r\nIn this article we describe some prominent features of this malware app based on our recent analysis. These\r\nfeatures are typical for spyware (including stalkerware, which has different spreading mechanisms — a topic for a\r\nseparate article).\r\nSpyNote features\r\nWe analysed a SpyNote sample with SHA256 bad77dca600dc7569db4de97806a66fa969b55b77c24e3a7eb2c\r\n49e009c1f216 (pkg name Glasgow.pl.dimensional).\r\nManifest File\r\nAs is typical with Android malware analysis, we start the analysis by looking at the AndroidManifest.xml file. Fig.\r\n1 shows a snapshot of the Manifest file. Although the list of permissions requested by SpyNote is not very\r\nexhaustive, we do see some suspicious permissions being requested. These include READ_SMS,\r\nPROCESS_OUTGOING_CALLS, CAMERA, RECORD_AUDIO, WRITE_EXTERNAL_STORAGE, and\r\nBIND_ACCESSIBILITY_SERVICE. Even though a request for these permissions doesn’t always indicate\r\nmalicious behavior, these are typical permissions that spyware requests.\r\nA screenshot of a section of the AndroidManifest.xml file of SpyNote opened in a code editor.\r\nFigure 1. Suspicious permissions requested by SpyNote.\r\nEntry point\r\nAs per (one piece of) Android literature, there are multiple ways to create an entry point for your application:\r\nhttps://blog.f-secure.com/take-a-note-of-spynote/\r\nPage 1 of 6\n\nLauncher activity that handles intents of MAIN and LAUNCHER types.\r\nService running in the background.\r\nBroadcast receiver that gets called when the system sends one of the broadcasts that the app expects.\r\nThe declaration of attachBaseContext method defined in the Application\r\nFor our analysis, the next logical step to identify the entry point for this suspected spyware app and finding which\r\nmethod SpyNote uses for that. Upon first inspection, we see several methods used in AndroidManifest.xml that\r\ncan qualify as “entry points”. To gain more understanding, we install SpyNote on an Android device and observe\r\nits behavior. This can help to correlate the observed behaviour on the phone with the code.\r\nUpon installation, we note that the app is nowhere to be seen in the App launcher. A simple check in the Phone\r\nSettings → Apps menu, however, shows that the app has been installed successfully. We can infer that the app is\r\nhiding to avoid detection.\r\nFor spyware, the reason behind hiding is to avoid detection and carry on with its objective of stealing user data as\r\nlong as possible. A couple of methods may be used by spyware to achieve this hiding functionality:\r\nUse of setComponentEnabledSetting to hide the app at runtime\r\nProviding no launcher activity category (CATEGORY_LAUNCHER) in AndroidManifest.xml\r\n(corresponding to the intent containing ACTION_MAIN)\r\nAs shown in Fig. 2 the launcher activity in SpyNote has CATEGORY_LAUNCHER category missing. This\r\nrenders the app hidden on the phone. Fig. 2 also shows the class name of the main activity.\r\nA screenshot of another section of the AndroidManifest.xml file of SpyNote, where\r\nCATEGORY_LAUNCHER is missing.\r\nFigure 2. Missing “Launcher” category renders app hidden.\r\nExclude from “Recents”\r\nApart from hiding itself, SpyNote also takes the extra step of hiding its activities from showing up in the\r\n“Recents” screen (the screen that displays recently used apps). It achieves this by defining the attribute\r\nandroid:excludeFromRecents in Androidmanifest.xml and setting it to “true”.\r\nAs per Android documentation, “the Recents screen, is a system-level UI that lists recently accessed activities and\r\ntasks. The user can navigate through the list, select a task to resume, or remove a task from the list by swiping it\r\naway”. This is typically accessed by tapping on the hamburger menu at the bottom of the screen or swiping the\r\nscreen from the bottom.\r\nThere are several ways that spyware apps may use for launching hidden apps:\r\nAttacker sends a command via SMS. The spyware app receives the broadcast for “SMS received” and then\r\nunhides the app icon.\r\nhttps://blog.f-secure.com/take-a-note-of-spynote/\r\nPage 2 of 6\n\nLaunching apps upon receiving an external trigger:\r\nReceiving broadcast for an outgoing phone call and trigger the app\r\nAdding an intent filter for a specific URL in the manifest file. Whenever the victim browses to that\r\nURL, the malware will be launched. The victim can be convinced to visit that URL by sending SMS\r\nmessages, for example.\r\nUsing a separate launcher app that only sends the desired intent to the malware app, which is launched\r\nupon receiving this intent.\r\nAn Android phone with the “Recents” view visible. SpyNote hides itself from this view.\r\nFigure 3. The “Recents” screen.\r\nIt is essential for spyware that it stays hidden. However, this raises the question, “How will the victim launch the\r\nspyware app so that it can steal data”?\r\nThe SpyNote malware app can be launched via an external trigger. We created a minimalistic “Hello World”-style\r\nAndroid app (as shown in Fig. 4), that only sends the necessary intent (an “intention” to perform an action). Upon\r\nreceiving the intent, the malware app launches the main activity.\r\nAn example piece of code that would trigger the main activity of the hidden malware.\r\nFigure 4. External trigger app that launches hidden malware.\r\nPermissions\r\nUpon launch, SpyNote primarily requests for the BIND_ACCESSIBILITY_SERVICE permission and once the\r\nvictim grants it, the malware grants itself multiple other required permissions\r\n(android.permission.PROCESS_OUTGOING_CALLS, android.permission.RECORD_AUDIO,\r\nandroid.permission.WRITE_EXTRENAL, etc. as per Fig. 1)\r\nA screenshot of the lines of SpyNote code where more permissions are granted.\r\nFigure 5. Self-granting permissions using Accessibility Services\r\nFigure 5 shows the steps after victim grants BIND_ACCESSIBILITY_SERVICE permission:\r\n1. the spyware app requests all permissions mentioned in the manifest file one by one, and\r\n2. instead of waiting for the victim to grant these permissions, it generates a “tap” stroke to replicate a tap by\r\nthe user, thereby self-granting all requested permissions.\r\nDiehard services\r\nAfter getting SpyNote to launch, we can verify from the phone settings that it runs two services using obfuscated\r\nservice names. Based on AndroidManifest.xml, however, we can confirm that these are implemented in two\r\nclasses called C71 and C38.\r\nhttps://blog.f-secure.com/take-a-note-of-spynote/\r\nPage 3 of 6\n\nFurther investigation of the code reveals that these services are what we can call “die\r\nhard services”. The main\r\ngoal of diehard services is to make shutting down the malware app very difficult — both by victims or by the\r\nAndroid system itself.\r\nSpyNote achieves this functionality by registering a broadcast receiver (an Android component that allows you to\r\nregister for system or application events), called “RestartSensor”. This broadcast receiver is a unique one, because\r\nno other receiver on the system will be able to process the specific broadcast that SpyNote generates when it is\r\nabout to be shut down.\r\nWhenever SpyNote services are about to be shut down, that service’s onDestroy method gets called. onDestroy\r\nmethod then itself generates a “RestartSensor” broadcast. This is a broadcast specific to this app, and cannot be\r\ngenerated by any other app on the system. Upon receiving this broadcast, the broadcast handler (which is the\r\npreviously registered unique receiver) restarts the services. Fig.6 shows this process.\r\nA flowchart of how SpyNore is able to restart itself after getting killed by Android.\r\nFigure 6. Diehard service restarts itself.\r\nFigure 7. shows this process via code screenshots. The spyware app first declares a broadcast receiver in the\r\nAndroidManifest.xml file. Whenever a shutdown attempt is made to destroy the malicious services, the onDestroy\r\nmethod generates the “RestartSensor” broadcast. The broadcast receiver then restarts the service.\r\nA collection of screenshots of the lines of code handling the auto-restarting of SpyNote.\r\nFigure 7. Steps taken by SpyNote to prevent the killing of its services.\r\nC2 Communcation\r\nAs is typical of spyware, the stolen data is useful only if it is sent back to the threat actor. This exfiltration happens\r\nby setting up connections with the attacker’s Command and Control (C2) server. Identifying such a C2 server and\r\nblocking communications with it can help prevent any personal data exfiltration.\r\nIn the SpyNote sample that we are analyzing, C2 communication is established immediately as part of\r\ninitialization of spyware services. A simple search for “connect” call, reveals the existence of C2 communication.\r\nThe C2 IP and port are base64 encoded as shown in Figure 8.\r\nA screenshot of the lines of code where connection with SpyNote’s command-and-control server\r\nis set up.\r\nFigure 8. C2 communication.\r\nPhone call recording\r\nSpyNote takes spying one step further, and even records incoming phone calls to the victim as .wav files and\r\nsends the files to the C2 server. It does this by first granting itself the “READ_CALL_LOG” permission, which is\r\npossible thanks to the previously granted ACCESSIBILITY_SERVICE permission, and additionally defining a\r\nbroadcast receiver for the system broadcast intent “PHONE_STATE”.\r\nhttps://blog.f-secure.com/take-a-note-of-spynote/\r\nPage 4 of 6\n\nWhen the victim gets an incoming call, the phone state changes, and the broadcast receiver is triggered. The code\r\nin the broadcast receiver checks if the victim has answered the call, and once confirmed, starts recording the\r\naudio. Figure 9 shows code snippets performing this malicious activity.\r\nScreenshots of SpyNote code snippets performing phone call recording.\r\nFigure 9. Phone call recording\r\nImage capturing/screenshot\r\nThe spyware uses MediaProjection API to capture images of the victim’s phone.\r\nMediaProjection API lets an application capture device contents that can be recorded or cast to other devices such\r\nas TVs. The content is always captured from a real display device. This captured content is then rendered to an\r\nintermediate “virtual display” which is the centerpiece of media projection. Finally, the Surface is a consumer of\r\nthe images captured. It gets these images from the “virtual display” and renders those.\r\nTo achieve this, SpyNote registers an onImageAvailableListener, and this listener is called whenever a new image\r\nis available. The malware app then directly sends this captured image data as a JPG file to the C2 server. All this is\r\nshown in Figure 10.\r\nScreenshots of SpyNote code snippets related to capturing screenshots on the compromised\r\ndevice.\r\nFigure 10. Spyware taking screenshot using ImageReader.\r\nLogging and stealing of data\r\nSpying, logging, and exfiltration of user data are some of the core “features” of any spyware. SpyNote is no\r\ndifferent. After a successful launch, it creates a new log file, and starts logging variety of actions performed by the\r\nvictim.\r\nKeylogging is another core feature of SpyNote, and all keys typed by the victim are logged as Base64 strings by\r\nthe malware app in its own log file. Due to its own log file, it becomes straightforward for the spyware app to save\r\nthe snooped user data, such as credentials. For example, we checked SpyNote’s log file after unlocking the device\r\nscreen that required us to type a password. Figure 11 shows the log file created by SpyNote and the screen unlock\r\npassword captured in it.\r\nScreenshots of the log file created by SpyNote, including entries captured via keylogging.\r\nFigure 11. Spyware infologger.\r\nSome other examples of captured actions include screen on/off, screen unlock password, list of apps shown on the\r\nhome screen, movement gestures, and so on.\r\nDifficult uninstallation\r\nThe goal of all spyware is to maximize its stay on the victim device, and extract as much information as possible.\r\nSpyNote which starts its activities as a hidden app, also ensures longer persistence by making the uninstallation\r\nprocess difficult.\r\nhttps://blog.f-secure.com/take-a-note-of-spynote/\r\nPage 5 of 6\n\nAs the app is hidden, victims cannot “long press” the app icon and uninstall it. The next option for victims to\r\nuninstall apps would be to go to Settings à Apps and uninstall.\r\nHowever, SpyNote prevents this by closing the menu screen whenever the victim navigates to the app through\r\nSettings. This is possible because of the BIND_ACCESSIBILITY_SERVICE permission acquired by the\r\nspyware.\r\nThe victim cannot stop services of this spyware via developer options either, because the malware has “diehard\r\nservices” running on the device, as described earlier. The victim is eventually left only with the option of\r\nperforming a factory reset, losing all data, thereby, in the process.\r\nSummary\r\nThe SpyNote sample is spyware that logs and steals a variety of information, including key strokes, call logs,\r\ninformation on installed applications and so on. It stays hidden on the victim’s device making it challenging to\r\nnotice. It also makes uninstallation extremely tricky. The only option that the victim is left with is performing\r\nfactory reset to remove the malware.\r\nF-Secure detects this sample as “Malware.Android/Bankbot.FLJI.Gen”.\r\nIOC\r\nbad77dca600dc7569db4de97806a66fa969b55b77c24e3a7eb2c49e009c1f216\r\n37[.]120[.]141[.]140:7775\r\nSource: https://blog.f-secure.com/take-a-note-of-spynote/\r\nhttps://blog.f-secure.com/take-a-note-of-spynote/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blog.f-secure.com/take-a-note-of-spynote/"
	],
	"report_names": [
		"take-a-note-of-spynote"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434197,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c94138d3ff1ef0daa2ff920bb9c165f2a7e4428d.pdf",
		"text": "https://archive.orkl.eu/c94138d3ff1ef0daa2ff920bb9c165f2a7e4428d.txt",
		"img": "https://archive.orkl.eu/c94138d3ff1ef0daa2ff920bb9c165f2a7e4428d.jpg"
	}
}