{
	"id": "9faf742f-406d-4b69-9211-b5868487eab5",
	"created_at": "2026-04-06T00:17:51.659041Z",
	"updated_at": "2026-04-10T13:12:40.622784Z",
	"deleted_at": null,
	"sha1_hash": "f2e97704a171af7ee053e560183bcb65ca9a3bd5",
	"title": "SpyNote – An Android Snooper",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1549350,
	"plain_text": "SpyNote – An Android Snooper\r\nPublished: 2022-08-10 · Archived: 2026-04-05 17:03:29 UTC\r\nThreat actors are constantly using new tricks and tactics to target users across the globe. This blog is about\r\nSpyNote,  an Android RAT targeting Indian Defense personnel. The initial attack vector information was found on\r\nthe newindianexpress website.\r\nLet’s now get into the details of how this SpyNote works.\r\nThis RAT is propagated via WhatsApp  with the name “CSO_SO on Deputation DRDO. apk“.  \r\nOnce the user falls prey to this RAT and  installs this malicious “CSO_SO on Deputation DRDO. apk”, this app\r\npretends to be the genuine Adobe reader icon in the device app drawer as shown in Figure 1.\r\nhttps://labs.k7computing.com/index.php/spynote-an-android-snooper/\r\nPage 1 of 12\n\nhttps://labs.k7computing.com/index.php/spynote-an-android-snooper/\r\nPage 2 of 12\n\nFigure 1: Fake Adobe Reader icon of  the malware\r\nUpon launching , this application opens a Google Drive URL that is hardcoded in the app’s “strings.xml” file  and\r\ndisplays the images as shown in Figure 2. Google Drive URL hardcoded in the app’s “strings.xml” file as shown\r\nin Figure 3.\r\nhttps://labs.k7computing.com/index.php/spynote-an-android-snooper/\r\nPage 3 of 12\n\nhttps://labs.k7computing.com/index.php/spynote-an-android-snooper/\r\nPage 4 of 12\n\nFigure 2: Images from Google Drive\r\nFigure 3: Hardcoded Google Drive URL string\r\nTechnical Analysis\r\nFigure 4 shows that this malware refers to services in the AndroidManifest.xml file but not defined in the\r\nclasses.dex in the APK’s root folder. This indicates that the services’ classes  or another dex containing the classes\r\nwould be loaded in memory at run-time using any one of the dynamic loading techniques.\r\nFigure 4: Undefined Class Names in AndroidManifest.xml\r\nSpyNote sample which we analyzed employs the technique of using the “base application context” to the class\r\n“com.android.protector.ProtectApplication” as shown in Figure 5. \r\nFigure 5: AndroidManifest.XML showing base context to\r\n“com.android.protector.ProtectApplication”\r\nHence, when the application’s launcher activity is triggered, “attachbasecontext” function from the class\r\n“com.android.protector.ProtectApplication” is executed and the other classes.dex (carried within the APK) are\r\nhttps://labs.k7computing.com/index.php/spynote-an-android-snooper/\r\nPage 5 of 12\n\nloaded and functions in those classes.dex files are  invoked using reflection and MultiDex support as shown in\r\nFigure 6 and 7. \r\nFigure 6: “attachbasecontext” using reflection to load the secondary dex files in the APK\r\nFigure 7: classLoader API loading secondary dex files using MultiDex support\r\nLooking at the logcat at runtime,  with MultiDex support, secondary dex files are loaded as  base.apk.classes1.zip\r\nand converted as executable ‘base.apk.classes1.odex’ as shown in Figure 8.\r\nFigure 8: The logcat image showing the base.apk.classes1.odex file at runtime\r\nAnalyzing the Payload\r\nThe payload file base.apk.classes1.zip as shown in Figure 9 has the references to services’ classes declared in the\r\nAndroidManifest.xml. \r\nhttps://labs.k7computing.com/index.php/spynote-an-android-snooper/\r\nPage 6 of 12\n\nFigure 9: Defined Class Name from AndoridManifest.xml\r\nThis malware collects location information like altitude, latitude, longitude, precision and even the speed at which\r\nthe device is moving as shown in Figure 10.\r\nFigure 10: Collects the device location information\r\nSpyNote then proceeds to combine all the aforementioned data and compresses (using gZIPOutputStream API)\r\nthem before forwarding it to the C2 server as shown in Figure 11.\r\nhttps://labs.k7computing.com/index.php/spynote-an-android-snooper/\r\nPage 7 of 12\n\nFigure 11: DATA compression using gZIPOutputStream\r\nC2 Communication\r\nThis RAT contacts the C2 server at IP 213.136.80[.]208, which is hardcoded in the “strings.xml” file (refer Figure\r\n3). Figure 12 shows the connection established with the C2. \r\nFigure 12: TCP connection with the C2 server\r\nAfter the connection is established, the malware sends the gzip compressed data to the C2 as evident from the\r\nnetwork packet’s header in Figure 13.\r\nhttps://labs.k7computing.com/index.php/spynote-an-android-snooper/\r\nPage 8 of 12\n\nFigure 13: gzip data sent by the device after establishing the connection with the C2 Server\r\nThe decompressed content of the data is shown below in Figure 14.\r\nFigure 14: Decompressed gzip data showing IP address\r\nDecode packets from the C2\r\nThe C2 responds by sending a series of compressed data,  which when decompressed, is revealed to be system\r\ncommands and the related APK payload as shown in Figure 15. In our case, the APK was extracted using\r\nCyberchef.\r\nhttps://labs.k7computing.com/index.php/spynote-an-android-snooper/\r\nPage 9 of 12\n\nFigure 15: Getting commands and APK file from C\u0026C server\r\nWe analyzed the C\u0026C command ‘info’ and the associated APK. This command collects the clipboard data and\r\nverifies the victims’ device for the presence of a hardcoded list of mobile security products, may be with the aim\r\nof disabling them or forwarding the info to the C2.\r\nFigure 16: Collects the clipboard information\r\nFigure 17: Checks for the presence of security related products\r\nThe structure of the commands sent from the C2 to victims’ device is as follows:\r\nhttps://labs.k7computing.com/index.php/spynote-an-android-snooper/\r\nPage 10 of 12\n\nFigure 18: Commands sent by C2\r\nAt K7, we protect all our customers from such threats. Do ensure that you protect your mobile devices with a\r\nreputable security product like K7 Mobile Security and also regularly update and scan your devices with it. Also\r\nkeep your devices updated and patched against the latest vulnerabilities.\r\nIndicators of Compromise (IoC)\r\nPackage Name Hash K7 Detection Name\r\ncom.editorpdf.acrobat F115C634016A9199054358515C19B40B Trojan ( 005652621 )\r\nC2\r\n213.136.80[.]208\r\nvmi876244.contaboserver[.]net\r\nMITRE ATT\u0026CK\r\nTactics Techniques\r\nDefense Evasion\r\nApplication DiscoveryObfuscated Files or Information,\r\nVirtualization/Sandbox Evasion\r\nDiscovery Security Software Discovery, System Information Discovery\r\nhttps://labs.k7computing.com/index.php/spynote-an-android-snooper/\r\nPage 11 of 12\n\nCollection Email Collection, Data from Local System\r\nCommand and\r\nControl\r\nEncrypted Channel, NonStandard Port\r\nSource: https://labs.k7computing.com/index.php/spynote-an-android-snooper/\r\nhttps://labs.k7computing.com/index.php/spynote-an-android-snooper/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/index.php/spynote-an-android-snooper/"
	],
	"report_names": [
		"spynote-an-android-snooper"
	],
	"threat_actors": [],
	"ts_created_at": 1775434671,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f2e97704a171af7ee053e560183bcb65ca9a3bd5.pdf",
		"text": "https://archive.orkl.eu/f2e97704a171af7ee053e560183bcb65ca9a3bd5.txt",
		"img": "https://archive.orkl.eu/f2e97704a171af7ee053e560183bcb65ca9a3bd5.jpg"
	}
}