{ "id": "0dce862d-8c8a-4f52-b20e-6d1b2d094c66", "created_at": "2026-04-06T00:11:21.464519Z", "updated_at": "2026-04-10T13:12:11.462203Z", "deleted_at": null, "sha1_hash": "e16c3e73298f619af6c3048f3b6cfd24909e767a", "title": "SpyNote: Comprehensive Analysis of an Android Remote Access Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3385276, "plain_text": "SpyNote: Comprehensive Analysis of an Android Remote Access\r\nTrojan\r\nBy Ireneusz Tarnowski\r\nPublished: 2026-01-25 · Archived: 2026-04-05 22:59:26 UTC\r\n21 min read\r\nJan 23, 2026\r\nPress enter or click to view image in full size\r\nThreat Context and Evolution of SpyNote\r\nIn recent years, a steady increase in threats targeting mobile devices has been observed, with the Android\r\necosystem being particularly affected. Smartphones, which routinely store both personal and corporate data, have\r\nbecome attractive targets for cybercriminals as well as threat actors performing espionage-orientated operations.\r\nAn example of a long-standing and continuously evolving threat in this domain is the SpyNote malware, also\r\nknown under related names such as CypherRat and SpyMax.\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 1 of 21\n\nSpyNote is a Remote Access Trojan (RAT) family that has been present in the mobile threat landscape for several\r\nyears. Despite the public availability of its builder and its relatively long history, SpyNote continues to be actively\r\nleveraged in ongoing campaigns, both large-scale and targeted in nature. In recent periods, its use has also been\r\nobserved in operations attributed to Advanced Persistent Threat (APT) groups, significantly increasing the overall\r\nrisk associated with this malware family.\r\nThe objective of this report is to provide an overview of the core characteristics, operational model, and\r\ndistribution methods of SpyNote, followed by a technical analysis of recent selected samples used in current\r\ncampaigns.\r\nKey characteristics of SpyNote Android RAT\r\nRemote Access Trojan (RAT) malware represents one of the most widespread and persistent threat categories\r\naffecting mobile devices. The Android platform, in particular, due to its global prevalence and relatively open\r\napplication distribution model, remains a prime target for malicious campaigns aimed at data theft, remote device\r\ncontrol, and financial abuse. Among active mobile malware families, SpyNote occupies a notable position as a\r\nlong-standing Android RAT that has served as a foundational codebase for multiple publicly available RAT tools\r\nand their subsequent modifications.\r\nSpyNote (also known in underground communities as SpyMax or SpyNote/SpyMax RAT) originally emerged as a\r\ncommercial or semi-commercial Android RAT offering full remote control over infected devices. A pivotal\r\nmoment in its evolution occurred in 2020, when the source code of version 6.4 was leaked, leading to widespread\r\nproliferation and enabling the development of numerous derivatives (forks) and variants by various cybercriminal\r\ngroups and third parties. As a result, SpyNote’s codebase became the foundation for a range of newer Android\r\nRAT tools developed within the underground ecosystem and later distributed under a Malware-as-a-Service\r\n(MaaS) model by independent operators.\r\nThe technical literature and threat intelligence reporting have also drawn connexions between SpyNote and other\r\ntools that exhibit similar operational characteristics. One such example is Craxs RAT, which is described in\r\nindustry analyses as a derivative or variant of SpyNote/SpyMax, reusing its core codebase while extending it with\r\nadditional functionality and control mechanisms. In this case, the SpyNote code was further developed by an actor\r\nusing the alias EVLF, who, beginning in 2022, actively developed and distributed Craxs RAT through channels\r\nsuch as Telegram, advertising it as an enhanced Android RAT with expanded device control and surveillance\r\ncapabilities.\r\nFrom a threat perspective, SpyNote should not be viewed as a single static tool with a fixed set of features.\r\nMultiple variants of this RAT have been identified, often designated using alphabetical or generational naming\r\nconventions (e.g., SpyNote.A, SpyNote.B, SpyNote.C). Depending on the campaign, these variants can employ\r\ndifferent tactics, techniques, and obfuscation strategies. What unifies them is a broad range of remote control and\r\nsurveillance capabilities, positioning SpyNote as a highly capable and dangerous tool within the mobile malware\r\necosystem.\r\nImportantly, the use of SpyNote and its derivatives is not limited to financially motivated cybercrime. Although\r\nmany campaigns involving these tools are large-scale and focus on credential theft, financial fraud, or application-https://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 2 of 21\n\nlevel phishing, their functionality also makes them suitable for targeted surveillance operations. Consequently,\r\nboth cybercriminal groups and potentially Advanced Persistent Threat (APT) actors or other espionage-motivated\r\nentities can adapt this malware for their own objectives by extending its modules or integrating it with additional\r\nmalware components as part of more complex intrusion campaigns. Multiple threat intelligence reports indicate\r\nthat groups such as OilRig (APT34), APT-C-37 (Pat-Bear), and Kimsuky have included SpyNote in their tooling\r\nportfolios during operations targeting high-value assets.\r\nDistribution Model and Operational Use (MaaS)\r\nThe distribution of SpyNote and its derivatives, including Craxs RAT, is largely based on the Malware-as-a-Service (MaaS) model, which for years has been one of the primary mechanisms enabling the scalability of\r\ncybercrime. This model separates the role of the malware developer from that of the campaign operator:\r\ndevelopers provide ready-made malware, builders, and command infrastructure, while end users are responsible\r\nfor the actual deployment and distribution of the tool.\r\nAs noted previously, the leakage of the SpyNote source code enabled unrestricted modification, the development\r\nof independent forks, and integration with other malware components. In practice, this led to fragmentation of the\r\nSpyNote ecosystem, in which multiple variants coexist, differing in implementation details while preserving a\r\nshared architectural foundation and a common set of RAT capabilities characteristic of this malware family.\r\nThe tool has been actively advertised through closed and semi-closed communication channels, primarily on\r\nplatforms such as Telegram. Vendors offered not only the malware itself but also a complete operational backend,\r\nincluding malicious application builders, administrative control panels, and guidance on bypassing Android\r\nsecurity mechanisms. This approach significantly reduced the entry barrier for new operators and allowed the\r\nrapid launch of infection campaigns without requiring advanced technical expertise.\r\nFrom a technical standpoint, malware distribution is mainly based on trojanized APK files (Android application\r\ninstallation packages) masquerading as legitimate mobile applications. These are most commonly impersonating\r\nweb browsers, banking applications, courier services, messaging applications, VPN tools, or applications themed\r\naround current social or economic events. Malware APKs are distributed outside the official Google Play Store\r\nthrough phishing websites, direct download links, malicious advertisements, and SMS or email messages\r\ncontaining links to the installers.\r\nA key component of this distribution model is the use of social engineering to persuade users to manually instal\r\nthe application and grant it extensive system permissions. This mechanism is critical, as SpyNote does not rely on\r\nexploit-based infection vectors or remote code execution (RCE). Campaign operators frequently instruct victims\r\nto disable Android security features, such as Google Play Protect, or to allow the installation of applications from\r\nunknown sources. In some campaigns, more advanced techniques are employed, including device-type-based\r\nredirection to customised payloads, link obfuscation through QR codes, or the use of loader applications that\r\ndownload or decrypt the actual SpyNote payload at a later stage.\r\nThe MaaS model also promotes the decentralisation of the command-and-control infrastructure. Each operator\r\nmay deploy their own C2 servers, often hosted between different providers or hidden behind dynamic DNS\r\nservices. Some variants also support C2 fallback mechanisms and dynamic address rotation using DNS-over-https://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 3 of 21\n\nHTTPS. As a result, a distributed ecosystem of campaigns emerges, which may appear unrelated despite being\r\nbuilt on identical or closely related malware codebases. This fragmentation significantly complicates\r\ninfrastructure-level mitigation efforts and the attribution of activity to specific threat actors.\r\nOperator Infrastructure: Administrative Panel and Builder\r\nAn integral component of the SpyNote ecosystem is its publicly accessible administrative panel (C2 panel),\r\noffered through the official project website. This panel serves as the central management interface for infected\r\ndevices and plays a critical role in the operational use of the tool. From a technical and functional perspective, it\r\nrepresents a classic command-and-control interface, providing operators with full visibility into victim activity\r\nand the ability to issue commands in real time.\r\nProject Website\r\nThe SpyNote administrative panel is marketed as an “advanced Android remote administration tool”; however, the\r\nscope of its functionality clearly aligns with that of malicious Remote Access Trojan (RAT) software. Labelling\r\nthe tool as a “remote admin tool” is a common marketing tactic intended to reduce the legal exposure of its\r\nauthors. The interface allows operators to monitor and control Android devices in a wide range of capabilities,\r\nincluding passive data collection and active manipulation of the victim’s system. All functions are accessible\r\nthrough a single management console and do not require physical access to the device.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 4 of 21\n\nFigure 1. “SpyNote project” service — informational landing page.\r\nAmong the core capabilities of the administrative panel is real-time remote screen viewing, combined with the\r\nability to interact with and control the system interface. This functionality enables operators to observe the\r\nongoing activity of the victim, including applications launched, user input, and displayed content. The panel also\r\nsupports remote screen unlocking, effectively allowing operators to take control of a device even when it is\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 5 of 21\n\nprotected by lock mechanisms. It should be noted that this capability is achieved through Accessibility Service\r\npermissions granted rather than by bypassing or breaking Android’s native lock-screen security mechanisms.\r\nA particularly significant feature is remote access to device sensors, including a microphone and camera. The\r\npanel enables covert audio and video recording without the user’s knowledge, as well as real-time camera\r\nstreaming. When combined with malware activity-hiding mechanisms, these capabilities facilitate long-term,\r\ndiscreet surveillance of the victim.\r\nThe administrative panel also provides extensive tools to manage the data stored on the infected device. Operators\r\nhave access to a file explorer module that supports browsing, downloading, and deleting files, along with\r\ndedicated modules to extract SMS messages, call history, contact lists, and stored account credentials. In addition,\r\na built-in keylogging module allows the interception of user input, including potentially sensitive authentication\r\ndata related to banking or corporate applications.\r\nPress enter or click to view image in full size\r\nFigure 2. “SpyNote project” service — overview of tool functionality.\r\nOne of the more advanced components of the administrative panel is the location tracking module, which provides\r\nreal-time monitoring of the position of the infected device using GPS data. This functionality is presented through\r\nan interactive map with three-dimensional visualisation, allowing for precise tracking of the victim’s movements.\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 6 of 21\n\nWhen correlated with other modules, it enables the operator to associate user activity with physical location.\r\nPersistent location tracking is achieved through a combination of granted location permissions and a background\r\nservice, resulting in minimal or no system alerts being presented to the user.\r\nThe SpyNote panel also includes features typically associated with offensive administrative tools, such as access\r\nto a system terminal. This module allows operators to execute commands on the infected device, retrieve detailed\r\nsystem configuration information, and potentially deploy additional components. This functionality significantly\r\nincreases the operational flexibility of the tool and enables operators to dynamically adapt their actions to a\r\nspecific victim or scenario.\r\nFrom a business model perspective, the SpyNote administrative panel is offered under paid licencing schemes,\r\nincluding time-limited subscriptions and lifetime licences. The available options include short-term trial licences,\r\nmid-term subscriptions, and one-time purchases granting permanent access to the tool. A notable characteristic of\r\nthe monetization model is the exclusive acceptance of cryptocurrency payments, such as Bitcoin, Ethereum, or\r\nUSDT. This approach is commonly observed in ecosystems associated with tools that carry elevated legal and\r\noperational risks.\r\nPress enter or click to view image in full size\r\nFigure 3. “SpyNote project” service — pricing information.\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 7 of 21\n\nSpyNote operators also advertise the availability of customised versions of the tool, including modification of the\r\nsource code and the provision of “special services” on client request. From an analytical standpoint, this indicates\r\na high degree of flexibility and a willingness to tailor malware to specific use cases, including potentially targeted\r\nor custom operations.\r\nCommand-and-Control (C2) and Builder\r\nThe administrative panel described above constitutes the central component of the entire SpyNote malware\r\necosystem and is responsible for managing the entire infection lifecycle, from the generation of malicious\r\napplications to the ongoing control of infected devices. Depending on the SpyNote version and its numerous\r\nforks, the panel interface may differ visually and functionally; however, across all observed variants, a common\r\nset of core operational mechanisms is preserved. These differences stem from the fact that the tool has been\r\nrepeatedly modified and adapted by various threat actors over time.\r\nFigure 4. SpyNote administrative panel — infection management.\r\nRegardless of the variant, a key component of the administrative panel is the builder module, which enables the\r\ngeneration of customised and unique malware samples in the form of Android APK files. The builder allows\r\noperators to define fundamental parameters of the malicious application, including the application name presented\r\nto the user, the package name, and component identifiers, facilitating the masquerading of malware as legitimate\r\nsoftware. At this stage, the process name and details of the command-and-control infrastructure are also\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 8 of 21\n\nconfigured, notably the IP address or domain of the C2 server and the communication port to which the\r\napplication will connect once executed on the victim’s device. Some builder versions support the generation of\r\nmultiple variants of the same sample (polymorphism), significantly hindering traditional signature-based\r\ndetection.\r\nPress enter or click to view image in full size\r\nFigure 5. SpyNote administrative panel — builder configuration.\r\nA critical aspect of the building process is the ability to selectively enable specific functionalities within the\r\ngenerated sample. The panel provides operators with a set of toggles corresponding to individual operational\r\nmodules, such as access to the camera, microphone, location data, SMS messages, contacts, and files.\r\nAdditionally, the builder allows for the enforcement of requests for special permissions, including the ability to\r\ndraw screen overlays, ignore battery optimisation mechanisms, and suppress system notifications. Of particular\r\nimportance is the option to automatically obtain extended privileges following the activation of the Accessibility\r\nService, which in practice enables further escalation of control over the operating system without direct user\r\ninteraction.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 9 of 21\n\nFigure 6. SpyNote administrative panel — builder configuration.\r\nFrom a technical perspective, the SpyNote administrative panel is a desktop application developed using the .NET\r\nframework. The APK build process relies on external tools, most notably apktool, which is used for decompiling,\r\nmodifying, and recompiling Android application packages. The integration of the builder with apktool allows\r\noperators to generate new variants without programming knowledge, automating the injection of configuration\r\ndata and the embedding or obfuscation of RAT code.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 10 of 21\n\nFigure 7. SpyNote administrative panel — APK compilation process.\r\nOnce launched, the administrative panel opens a listening port and awaits incoming connexions from infected\r\ndevices. When a generated application is installed and executed on a victim’s device, it initiates a connection to\r\nthe C2 server defined during the build process. Upon successful communication, the device is registered within\r\nthe panel as a new victim, granting the operator full visibility into its status and the ability to remotely manage its\r\nfunctionalities.\r\nThe panel enables the dynamic activation of individual malware modules in response to the operator’s immediate\r\nrequirements. This includes, among other actions, initiating screen monitoring, capturing images from the camera,\r\nrecording audio, tracking location, browsing files, and monitoring communications. These capabilities can be\r\nactivated in real time, allowing flexible surveillance operations and adaptive behaviour based on victim activity.\r\nAnalysis of generated APK samples indicates that the build process involves more than simply embedding a static\r\nC2 address. It also includes the selective enable or disablement of manifest components and background services.\r\nAs a result, different SpyNote samples may exhibit significantly different permission requests and runtime\r\nbehaviours, even when generated from the same administrative panel. This mechanism complicates signature-based detection and facilitates the proliferation of a large number of distinct malware variants.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 11 of 21\n\nFigure 8. SpyNote administrative panel — infected device management.\r\nFrom an operational standpoint, the SpyNote administrative panel simultaneously serves as a malware generation\r\ntool, a command-and-control server, and an operator console. This consolidation of functionality, combined with\r\nease of use and extensive configuration capabilities, makes SpyNote an attractive tool for both cybercriminals and\r\nthreat actors conducting more targeted operations, including those of a potential espionage nature.\r\nTechnical Analysis of SpyNote Samples\r\nThe technical analysis was conducted on selected SpyNote samples obtained from ongoing campaigns as well as\r\nfrom publicly available malware sample repositories. The objective of the analysis was to identify current\r\ninfection mechanisms, persistence techniques, command-and-control (C2) communication, and the scope of\r\nfunctionality executed on infected Android devices.\r\nGet Ireneusz Tarnowski’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe SpyNote execution flow begins at the application installation stage, delivered in the form of an Android APK\r\npackage. At this stage, the AndroidManifest.xml file already declares a broad set of permissions; however, their\r\nactual granting and activation occur progressively during subsequent infection phases, in accordance with the\r\nAndroid runtime permission model.\r\nUpon first launch, the application initialises its primary activity, responsible for preparing the malware’s\r\noperational environment. During this phase, components are activated to collect key device information, including\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 12 of 21\n\nAndroid OS version, hardware model, system identifiers, and security patch level. This information is\r\nsubsequently used to determine the appropriate privilege escalation techniques and operational paths.\r\nPress enter or click to view image in full size\r\nFigure 9. Example screen — Accessibility Service permission request (illustrated using a trojanized\r\nsample “Roblox Modded.apk”).\r\nThe next stage of malware execution involves gradual privilege escalation, implemented through a sequence of\r\ndedicated activities designed to coerce the user into granting additional high-impact permissions. This mechanism\r\nrelies heavily on social engineering techniques and the use of system overlay windows. Initially, the user is asked\r\nto grant access to the Accessibility Service, which represents a critical turning point in the SpyNote operational\r\nchain. Once obtained, this permission allows malware to monitor user interactions and simulate input events,\r\nenabling further automated privilege escalation.\r\nWith Accessibility Service permissions in place, SpyNote proceeds to additional system takeover steps. These\r\ninclude semi-automated enforcement of Device Administrator privileges, activation of a custom system keyboard\r\n(a common mobile keylogging technique), and authorisation to operate unrestricted in the background by\r\nbypassing battery optimisation mechanisms. In certain variants, attempts have also been made to obtain\r\npermissions to instal and uninstall application packages, enabling further malware expansion or the deployment of\r\nadditional components.\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 13 of 21\n\nIn parallel with privilege escalation, persistence mechanisms are deployed. SpyNote registers BroadcastReceiver\r\ncomponents configured to handle selected system events, including device reboot (BOOT_COMPLETED), screen\r\nstate changes, power connection events, and USER_PRESENT events indicating device unlock. As a result,\r\nmalicious services are automatically restarted after the system reboots or are activated upon user interaction,\r\nincreasing operational reliability while reducing the observable indicators of malicious activity.\r\nAfter acquiring the required permissions, the malware initialises its full set of operational capabilities. Services are\r\nlaunched for location tracking, audio and video capture, keystroke logging, and application activity monitoring.\r\nDepending on the configuration, some of these capabilities operate in a passive mode, awaiting commands from\r\nthe C2 server, while others may be triggered automatically in response to predefined system events.\r\nPress enter or click to view image in full size\r\nFigure 10. Decompiled and decoded SpyNote class: network configuration.\r\nThe final stage of the execution chain involves establishing communication with the C2 infrastructure of the\r\ncampaign operator. SpyNote initiates outbound network connexions to the configured C2 server, transmitting\r\npreviously collected device identification data and signalling readiness to receive commands. Communication is\r\nperformed either periodically or in an event-driven manner, depending on the configuration, and serves both for\r\nexfiltrating data from the compromised device and for receiving control instructions governing further malware\r\nbehaviour through a shared data and management channel. In more advanced variants, this communication may\r\nalso be concealed through encryption mechanisms or VPN tunnelling, complicating detection at the network layer.\r\nIn general, the SpyNote operational model reflects a deliberate multi-stage architecture designed to progressively\r\nassume control over the victim’s device while minimising the risk of detection. The combination of social\r\nengineering, the abuse of the mechanisms of the Android system, and centralised C2-based control makes\r\nSpyNote a tool well suited for long-term covert surveillance operations.\r\nCommand-and-Control (C2) Communication\r\nThe component analysed \u003cpackage_name\u003e.run.Socket is responsible for handling the complete network\r\ncommunication between the infected device and the SpyNote command-and-control server (C2). This\r\nimplementation represents the central element of the C2 communication architecture and is designed to support\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 14 of 21\n\nstable and long-lived bidirectional communication while maintaining flexibility in the transmission of commands\r\nand data. The use of persistent TCP connections distinguishes SpyNote from the majority of mobile RATs, which\r\ntypically rely on short-lived, pull-based communication models.\r\nOn the client side, communication is implemented using asynchronous network channels (AsyncChannel) built on\r\nJava NIO (Non-blocking I/O), leveraging TCP sockets. During connexion initialisation, malware configures key\r\nsocket options such as TCP_NODELAY and SO_KEEPALIVE, indicating an intentional effort to minimise\r\nlatency and maintain long-lived sessions. The C2 server address and port are dynamically retrieved from the\r\nSupport.SocketInfo class, confirming that these values are injected during the sample build process via the\r\nadministrative panel.\r\nThe connection establishment process is implemented in the Client.Connect class, which performs repeated\r\nconnection attempts with built-in exception handling. In the event of a failure, the malware introduces a delay\r\nbefore retrying, allowing it to survive temporary C2 infrastructure outages or victim-side network disruptions.\r\nUpon successful connection, a timestamp is recorded and subsequently used for session state monitoring.\r\nImmediately after establishing the connection, the client transmits an initialisation packet containing an extensive\r\nset of identification and telemetry data. This data set includes a unique device identifier, malware version,\r\napplication package name, key class names, battery status, location data, screen lock state, and detailed\r\ninformation about the operating system and vendor-specific interface. This packet serves as the registration\r\nmechanism for a newly compromised device within the administrative panel and enables the operator to rapidly\r\nassess the operational value of the victim.\r\nInbound data from the C2 server is handled by the ReceiveData class, which implements a proprietary\r\ncommunication protocol. Data are transmitted as a byte stream in which individual segment lengths are separated\r\nby a null byte. Once a complete frame is received, the data are decoded and optionally decompressed using the\r\nGZIP mechanism before being passed on for further processing. The decoded packets are placed into a shared\r\nSocket.packets queue, enabling asynchronous handling by other execution threads.\r\nCommand processing is performed by the IncomingPackets class, which cyclically retrieves packets from the\r\nqueue and forwards them to the Client.Data method. At this stage, incoming instructions are interpreted based on\r\nlogical command keys, triggering the execution of corresponding malware functions.\r\nA notable architectural feature is the handling of operational tasks. SpyNote employs parallel task execution for\r\nactivities such as file system traversal, directory content enumeration, and operations on multimedia files,\r\nincluding screen capture with configurable parameters. The use of thread pools allows efficient utilisation of\r\ndevice resources while enabling these activities to be performed in the background without generating obvious\r\nindicators of activity visible to the user.\r\nThe persistence of C2 communication is maintained through a dedicated connection health monitoring mechanism\r\nimplemented in the CheckConnection class. This component periodically sends “ping” packets and tracks idle\r\nsession time. In the absence of responses or upon detection of connectivity issues, malware autonomously initiates\r\ndisconnection and reconnection procedures. This mechanism ensures the continuity of the campaign even under\r\nunstable mobile network conditions. In addition, up-to-date information is periodically transmitted regarding\r\nbattery level, charging state, location, and screen lock status, allowing the operator to maintain real-time\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 15 of 21\n\nsituational awareness of the victim device. Such telemetry may also function as operational triggers — for\r\nexample, to activate audio or video recording when the device is connected to a power source to minimise battery\r\ndrain and reduce the likelihood of user detection.\r\nAll control logic governing the operation of individual communication components is centralised within the\r\nController class. This class coordinates the initialisation, termination, and reinitialization of tasks responsible for\r\nconnection handling, data reception, command processing, and session monitoring. This design provides high\r\nfault tolerance and enables automatic recovery from communication disruptions, a characteristic commonly\r\nassociated with mature malware families. In some variants, additional communication concealment mechanisms\r\nwere observed, including custom headers, obfuscated session identifiers, or tunnelling over HTTPS, significantly\r\ncomplicating network traffic monitoring and event correlation.\r\nAnalysis of the communication component clearly indicates that SpyNote employs a custom C2 protocol based on\r\npersistent TCP sessions, supporting compression, dynamic command handling, and multithreaded processing. This\r\narchitecture is optimised for long-term control over infected devices, flexible functional expansion, and\r\nminimisation of session loss risk, reinforcing SpyNote’s classification as a mature and opeRAT.onally robust\r\nAndroid RAT.\r\nObfuscation Techniques\r\nSpyNote employs a broad range of obfuscation and code protection techniques that have evolved from basic\r\nmethods to sophisticated mechanisms designed to evade modern security controls. Although early versions and\r\npublicly available builders often lacked any meaningful protection, contemporary variants (such as SpyNote.C or\r\nV7) exhibit a significantly higher level of complexity.\r\nPress enter or click to view image in full size\r\nFigure 11. Configuration observed in a decompiled file (encoded version).\r\nSome variants operate as droppers, where the initial APK functions solely to deploy a secondary payload\r\nconcealed within a DEX file embedded in the application’s resources. Connection parameters for the C2\r\ninfrastructure are frequently embedded within these additional DEX files, which introduces another layer of\r\nconcealment. Such techniques have been observed in campaigns attributed to APT groups (e.g., APT43), where\r\nthe actual SpyNote code is hidden in the /assets directory under benign-looking filenames such as security.dat or\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 16 of 21\n\nsearch.db. Decryption of this payload is performed using a dedicated native library, commonly referred to as\r\nSILENTKEY (e.g., libnative-lib.so), which exposes a decryptFile function. The shift from simple Java-based\r\nXOR encryption to native-library-based decryption significantly reduces the effectiveness of static analysis using\r\nstandard DEX decompilation tools.\r\nMalware extensively leverages encoding mechanisms to conceal critical configuration data, including C2 IP\r\naddresses, port numbers, and communication keys. Exfiltrated victim data — such as captured keystrokes — is\r\nlikewise stored and transmitted in encoded or, in some cases, encrypted form. In newer variants, multi-stage\r\ndecoding chains are employed, with strings being decrypted only at the moment of use, further complicating static\r\nfunction mapping and string-based detection.\r\nRecent SpyNote versions make use of commercial packers and advanced string obfuscation techniques, rendering\r\nthe application code largely unreadable to conventional decompilers and hindering the identification of malicious\r\nfunctionality. Obfuscated class and service names (e.g., classes labelled C71 or C38) are commonly used to blend\r\nmalicious components into the landscape of legitimate system services. Many samples also include artificial code\r\npadding, dead code, fake classes, and deeply nested try/catch blocks, all of which are intended to disrupt control-flow analysis and delay reverse engineering efforts.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 17 of 21\n\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 18 of 21\n\nFigure 12. SpyNote class and method tree — unobfuscated version.\r\nIn more advanced cases, the malware code is decrypted only at runtime and loaded directly into memory (in-memory execution). As a result, malicious modules are not present in plain text form on the disc, effectively\r\nbypassing file-based scanning mechanisms such as Google Play Protect. This technique is primarily observed in\r\nvariants used in targeted campaigns or developed by advanced operators and is not a standard feature of the\r\npublicly available SpyNote builder.\r\nThe cumulative application of these techniques significantly impedes both static analysis and behavioural\r\ndetection of SpyNote, underscoring the increasing sophistication of this malware family and its continued\r\nadaptation to evolving defensive measures.\r\nSummary\r\nSpyNote represents a mature, multi-component Android RAT designed as a cohesive ecosystem encompassing C2\r\ninfrastructure, an operator control panel, a personalised sample generation mechanism, and a modular client-side\r\narchitecture. This design enables centralised campaign management and precise tailoring of individual malware\r\ninstances to specific operational requirements.\r\nFrom a functional perspective, SpyNote combines passive surveillance capabilities with active device control. Its\r\nfeature set includes credential harvesting, user activity monitoring, access to system resources, and execution of\r\nremote commands. A core architectural element is the systematic abuse of Android Accessibility Services, which\r\nenables logical privilege escalation and automation of user interface interactions without requiring root access. In\r\npractice, this makes SpyNote particularly effective on modern Android versions, as it bypasses many security\r\nrestrictions imposed on non-privileged applications. Another distinguishing characteristic is its ability to maintain\r\npersistent TCP sessions, setting SpyNote apart from most mobile RATs and complicating network traffic analysis.\r\nThe SpyNote operational model shifts the configuration logic to the sample build stage. Communication\r\nparameters, functional scope, and post-installation behaviour are defined within the operator panel, resulting in\r\nmalware variants that differ significantly in runtime behaviour and technical artefacts. This approach substantially\r\nreduces the effectiveness of signature-based detection and facilitates long-term persistence on compromised\r\ndevices.\r\nFrom a detection and response standpoint, SpyNote represents a class of threats characterised by deep integration\r\nwith the Android system mechanisms, resilience to device reboots, and the ability to operate stealthily in the\r\nbackground based on system events. The use of a proprietary C2 protocol and dynamic command processing\r\nfurther complicates infrastructure identification and network-level blocking efforts.\r\nConsequently, SpyNote should not be viewed as a single malware family in a narrow sense, but rather as a flexible\r\noperator toolkit capable of adapting to changes in the Android security model. In its current form, the term\r\n“SpyNote” effectively encompasses a broad family of forks and variants with varying levels of sophistication,\r\nsome of which diverge significantly from the original 6.4 release — an important consideration for both technical\r\nanalysis and campaign attribution. Its presence within the mobile threat landscape should therefore be assessed\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 19 of 21\n\nfrom a long-term perspective, with emphasis on behavioural detection, event correlation, and monitoring for abuse\r\nof the core mechanisms of the Android system.\r\nIndicators of Compromise (IoC)\r\nAnalysed Samples\r\nsonapk.apk\r\nSHA256: 3cf8bd9828f8fe52867fcb09f3caa59f5ce0aa76ff20cf644807ae76b57c2c86\r\nC2: tcp://103.61.224[.]102:2323\r\nGmail.apk\r\nSHA256: 8f09663836bef9fad23b34560dbcb0848e99d66e40787c37d498e7647792d5b6\r\nC2: tcp://103.61.224[.]102:2323\r\ninpost.apk\r\nSHA256: 40d31617f45e8317e9d8fa6e42e67d587bdc546b50fd2197b26ac27b51d037de\r\nC2: tcp://103.61.224[.]102:3333\r\nRoblox Modded.apk\r\nSHA256: acf2d29c8c65ee2fe57445e672fbee01fa240b0039b66ea507f110468c6c8210\r\nC2: tcp://144.31.30[.]235:7771\r\nOther (latest) samples\r\nSHA256: 6fd37bbd31b52c6312a0c7972d7fe7242dade45f3d8faa2fc548bef2e3400ecd\r\nC2: tcp://20.82.176[.]195:7771\r\n SHA256: 231b21251d16d17e564a2014765d1de553eb821abd92781b18c94889650a3bf7\r\nC2: tcp://91.92.251[.]105:12004\r\n SHA256: b29b8bd2d47254de3d7bf21d7610209d3cc4db49cd3e7ba2fd1ea040f49cb6db\r\nC2: tcp://185.87.254[.]82:2305\r\nSHA256: d9c47a7d7e42402c3ce2dd191ea09e9f7e29b1ee8d78d9aec0a47ed7b4bcdb80\r\nC2: tcp://mm-includes.gl.at.ply[.]gg:33004\r\nSHA256: 5d4aa3800788f80d2a0b0460574ee3d3403c642b19e294941cd9e59b37aebae5\r\nC2: tcp://193.161.193[.]99:40920\r\nSHA256: d14fb879a81e6c415146092d2aab8f8c69991828dbebc0ec27363248f9b260c0\r\nC2: tcp://83.217.209[.]142:1333\r\nSHA256: e21f8722ab3d3557e7b0dda0faca39c517bbf0afd84bf4bbdc92687c9bd58aae\r\nC2: tcp://tcp.cloudpub[.]ru:48683\r\nSources and Reference Materials\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 20 of 21\n\n1. https://www.mobile-hacker.com/2025/06/05/analysis-of-spyware-that-helped-to-compromise-a-syrian-army-from-within/\r\n2. https://www.group-ib.com/blog/craxs-rat-malware/\r\n3. https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote\r\n4. https://hunt.io/malware-families/spynote\r\n5. ThreatLabz 2025 Mobile, IoT \u0026 OT Threat Report\r\n6. https://app.apkdetect.com/search/?malware=SpyNote\r\nEND OF ANALYSIS — 21 January 2026 (IR3k)\r\nThe following analysis does not aim to provide an exhaustive description of all capabilities and variants of the\r\nSpyNote malware family. It focuses on selected technical aspects and representative samples observed in recent\r\ncampaigns, with particular emphasis on architectural design, privilege abuse mechanisms, persistence, and\r\ncommand-and-control communication. While SpyNote implements a wide range of additional features and\r\nvariants, only those deemed most relevant from a defensive and analytical perspective are discussed.\r\nThe purpose of this report is strictly educational and analytical, intended to highlight techniques employed by\r\ncontemporary Android malware and to support detection, analysis, and threat awareness efforts. Any inaccuracies\r\nor omissions are unintentional and do not affect the overall analytical conclusions.\r\nThis analysis has been published on the CERT Orange Polska portal at:\r\nhttps://cert.orange.pl/aktualnosci/operacyjna-analiza-kanalow-komunikacyjnych-mobilnego-rcsa/\r\nSource: https://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nhttps://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/@ireneusz.tarnowski/spynote-d7d0f31ec697" ], "report_names": [ "spynote-d7d0f31ec697" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "c306e698-3b48-46d7-b571-3dfa0c828379", "created_at": "2023-05-16T02:02:09.957677Z", "updated_at": "2026-04-10T02:00:03.364345Z", "deleted_at": null, "main_name": "APT43", "aliases": [], "source_name": "MISPGALAXY:APT43", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "0769c188-62ce-44ee-8e9d-1067f3d3c083", "created_at": "2022-10-25T16:07:24.259063Z", "updated_at": "2026-04-10T02:00:04.913621Z", "deleted_at": null, "main_name": "Pat Bear", "aliases": [ "APT-C-37", "Pat Bear", "Racquet Bear" ], "source_name": "ETDA:Pat Bear", "tools": [ "Bladabindi", "CypherRat", "DroidJack", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "Jenxcus", "Jorik", "Kognito", "Njw0rm", "SSLove RAT", "SpyNote", "SpyNote RAT", "WSHRAT", "dinihou", "dunihi", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434281, "ts_updated_at": 1775826731, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e16c3e73298f619af6c3048f3b6cfd24909e767a.pdf", "text": "https://archive.orkl.eu/e16c3e73298f619af6c3048f3b6cfd24909e767a.txt", "img": "https://archive.orkl.eu/e16c3e73298f619af6c3048f3b6cfd24909e767a.jpg" } }