{ "id": "d186b895-d06e-4269-b861-461b50ff2004", "created_at": "2026-04-06T00:11:09.800351Z", "updated_at": "2026-04-10T03:21:40.848821Z", "deleted_at": null, "sha1_hash": "ed6b82bc25376e5f1b131f113e9845691a950ca2", "title": "New Trojan SpyNote Installs Backdoor on Android Devices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 36176, "plain_text": "New Trojan SpyNote Installs Backdoor on Android Devices\r\nBy Tom Spring\r\nPublished: 2016-07-29 · Archived: 2026-04-05 18:42:18 UTC\r\nA new SpyNote Trojan can give bad guys control over your phone from the camera, microphone to eavesdropping\r\non phone calls.\r\nA new Android Trojan called SpyNote has been identified by researchers who warn that attacks are forthcoming.\r\nThe Trojan, found by Palo Alto Networks’ Unit 42 team, has not been spotted in any active campaigns, but it is\r\nnow widely available on the Dark Web and that it will soon be used in a wave of upcoming attacks.\r\nUnit 42 discovered the Trojan while monitoring malware discussion forums. Researchers say that’s where they\r\nfound a malware builder tool specifically designed to be used to create multiple versions of SpyNote Trojan.\r\nSpyNote has a wide range of backdoor features that include the ability to view all messages on a device,\r\neavesdrop on phone calls, activate the phone’s camera or microphone remotely or track the phone’s GPS location.\r\nThe APK (Android application package file) containing the remote access tool (RAT) SpyNote, gives an attacker\r\ncomplete access to a victim’s phone.\r\nSpyNote is similar to other remote administration tools such as OmniRat and DroidJack. Droidjack made news\r\nearlier this month when researchers at Proofpoint found a rigged version of the massively popular game Pokémon\r\nGo with the Trojan. OmniRat is similar in function and was first spotted in Germany in November by researchers\r\nwho said targeted victims received a text message asking them to download an app to view an image.\r\nOnce installed, SpyNote is hard to get rid of; it removes the SpyNote application icon from the victim’s phone and\r\ninstall new APKs and update the malware.\r\n“The SpyNote APK requires victims to accept and give SpyNote many permissions, including the ability to edit\r\ntext messages, read call logs and contacts, or modify or delete the contents of the SD card,” according to a\r\ntechnical description of malware.\r\nPalo Alto has gleaned important details of SpyNote from what it identifies as a video demonstrating the\r\ncapabilities of the malware. In the video hacking tutorial a user appears to be running SpyNote through its paces\r\nshowing a remote takeover of an Android device.\r\nhttps://www.youtube.com/watch?v=E9OxlTBtdkA\r\n“The uploader might be following the instructions described in YouTube videos on using SpyNote, considering\r\nthe port number used is exactly the same as in the videos and the uploader only changes the icon of the APK file,”\r\nwrote Jacob Soo.\r\nhttps://threatpost.com/new-trojan-spynote-installs-backdoor-on-android-devices/119560/\r\nPage 1 of 2\n\nSpyNote is configured to communicate with a command and control server via IP address via TCP using hard-coded SERVER_IP and SERVER_PORT values. That has given researchers the ability to extract C2 information\r\nfrom the malware.\r\nUnlike the closely related RATs OmniRat and DroidJack, researchers say they have not seen SpyNote in the wild\r\ntherefore determining how attackers might lure victims into downloading the Android APK is still an unknown.\r\nSource: https://threatpost.com/new-trojan-spynote-installs-backdoor-on-android-devices/119560/\r\nhttps://threatpost.com/new-trojan-spynote-installs-backdoor-on-android-devices/119560/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://threatpost.com/new-trojan-spynote-installs-backdoor-on-android-devices/119560/" ], "report_names": [ "119560" ], "threat_actors": [], "ts_created_at": 1775434269, "ts_updated_at": 1775791300, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ed6b82bc25376e5f1b131f113e9845691a950ca2.pdf", "text": "https://archive.orkl.eu/ed6b82bc25376e5f1b131f113e9845691a950ca2.txt", "img": "https://archive.orkl.eu/ed6b82bc25376e5f1b131f113e9845691a950ca2.jpg" } }