SpyNote spyware targets European bank customers with aggressive campaigns

SpyNote's threat landscape and mechanism

SpyNote, an Android banking trojan, also known as SpyMax, has escalated into a cybersecurity nightmare by persistently targeting various European customers across different banks, most aggressively during June and July 2023. Cleafy, the Italian cybersecurity firm, has detailed the new surge of attacks in the report.^[1]

This research aims to show some new details about how TAs are using SpyNote and social engineering techniques to perform Account Takeover attacks (ATO) and on-device fraud (ODF) against customers of several banks in Europe.

This malware operates by manipulating Android's accessibility permissions, thereby allowing itself the necessary privileges to function as a dangerous tool in the hands of cybercriminals. Its functionality goes beyond traditional spyware operations, performing bank fraud, a combination that marks its distinction in the malware world.

The SpyNote attack typically commences with an SMS or email disguised as a legitimate banking communication, urging victims to install a fraudulent banking app. Victims, when clicking the link, are redirected to the legitimate TeamViewer QuickSupport app on the Google Play Store. Attackers exploit this app to gain remote access to the victim's device and stealthily install malware.

This strategy has been further leveraged by using TeamViewer as a conduit, with attackers even calling victims and impersonating bank operators. Such a multi-pronged approach, which involves remote access trojan (RAT) capabilities, vishing attacks, and social engineering, has proved highly effective.

SpyNote’s functionality is indeed versatile, able to access a wide array of information from infected devices. From geolocation data and keystrokes to screen recordings and SMS messages, the scope of data gathered is vast, with capabilities even to bypass SMS-based two-factor authentication (2FA).

Sophisticated techniques, targets, and link to other threat actors

Once established on a device, SpyNote unveils its full threat potential. Beyond the mere collection of data, it leverages sophisticated techniques such as code obfuscation, anti-emulator controls, and prevention of manual removal by hiding the application icon.

These evasion techniques comprise a blend of complex strategies, including the use of redundant or junk code to slow down static analysis and conducting checks for emulation or sandboxed environments. Such measures ensure that malware's operation is limited to genuine victim devices, making it harder for security experts to analyze.

SpyNote's connections with other cyber threats add to its dangerous nature. There are observed links to the hack-for-hire operation known as Bahamut, which overlaps with the DoNot Team,^[2] a known nation-state actor. Moreover, SpyNote shares identical features with an app housing Android malware dubbed CoverIm.

The precise details of the social engineering facet of the assault remain ambiguous, but it is recognized that Bahamut often depends on fabricated identities on platforms like Facebook and Instagram. By posing as technology recruiters for prominent tech firms, journalists, students, or activists, they cunningly deceive unsuspecting users into inadvertently downloading malware onto their devices.^[3]

These intricate connections, shared techniques, and simultaneous campaigns across different regions highlight a potentially coordinated, widespread effort. Such alignment makes SpyNote an even more significant threat, necessitating a comprehensive understanding of its evolving strategies.

Continuing threat and need for defense measures

SpyNote's continuous and aggressive campaigns signal a clear warning to the cybersecurity community. Cleafy's detailed report not only highlights the surge in spyware infections but also emphasizes that data-collecting Android malware can shift and expand its capabilities beyond that relatively quickly.

The situation became graver after the leak of SpyNote’s source code in October 2022, opening doors to numerous cybercriminals. Each of them now has access to a sophisticated trojan tool, reinforcing fears regarding the large-scale utilization of this highly capable spyware. ThreatFabric security researchers wrote about it being available on GitHub:^[4]

In October 2022, the source code was made available as open-source via GitHub, after a leak and a few scamming incidents in hacking forums, where actors would impersonate the original threat actor to steal money from other criminals.

Cleafy concludes that vigilance, updated security measures, and strong two-factor authentication procedures are paramount. They characterize the recent SpyNote campaign as one of the most aggressive in recent times and anticipate continued exploitation due to the malware's multifaceted functionalities.