Affecting financial institutions since late 2022, the Android spyware, SpyNote, has demonstrated an evolving threat landscape, expanding its capabilities to orchestrate bank fraud.

Cleafy’s security research team has revealed fresh insights about SpyNote, delineating how this malevolent software leverages Accessibility services along with varied Android permissions to engage in an array of malicious activities.

Spread primarily through deceptive email phishing and smishing tactics, SpyNote employs a mixed bag of malicious methodologies, including remote access trojan (RAT) capabilities and vishing attacks. Notably, during the summer months of 2023, a significant uptick in targeted campaigns against a variety of European bank customers was observed.

The advisory report published earlier today by Cleafy’s Threat Intelligence Team outlines their consistent surveillance of the increasing trajectory of spyware infections, with SpyNote identified as a leading offender. This malware’s capacity to effectively masquerade as legitimate applications enhances its threat level significantly.

Victims usually encounter an initial deception via an SMS message encouraging the download of a “newly certified banking app”. This is followed by a redirection towards an ostensibly legitimate TeamViewer app, designed for technical remote assistance. In actuality, this initial deceptive step is a strategy to achieve remote access to the unsuspecting victim’s device.

The principal functionalities of SpyNote revolve around its ability to exploit Accessibility services for automatically accepting other permission prompts and executing keylogging activities. The malware uses tracking of user activities to gain access to vital data like installed applications, specific app attributes, and text inputs. This obtained data is then used to illicitly acquire sensitive banking details.

Moreover, SpyNote possesses the ability to intercept SMS messages, which includes two-factor authentication (2FA) codes, and forward them to the perpetrators’ command-and-control (C2) server. This allows the malware to circumvent additional security layers established by financial institutions and also enables screen recording, further empowering the attackers with comprehensive control and information.

In order to avoid being discovered and analyzed, SpyNote incorporates a series of defense evasion tactics such as code obfuscation, anti-emulator controls, and application icon hiding to prevent manual removal.

In their final observations, Cleafy indicated that the ferocity and extensive scope of the recent SpyNote campaign suggest the probability of threat actors exploiting this spyware’s multifunctional potential to continue orchestrating bank fraud in the future.

The report read, “The intensity and reach of this recent SpyNote campaign lead us to infer that threat actors are likely to persist in their utilization of this spyware for bank fraud, given its multipurpose capabilities.”

The onus is on financial institutions and users to stay alert to phishing and smishing attempts, while consistently updating their security defenses to combat these progressively evolving threats.