SpyNote spyware acquired expanded capabilities for bank fraud

The notorious SpyNote spyware that has been wreaking havoc on Android devices since last year has recently undergone a development that alerted cybersecurity researchers.

According to reports, the spyware’s operators have augmented their capabilities, enabling them to execute sophisticated bank fraud by harnessing the power of Accessibility services and multiple Android permissions.

 

The SpyNote spyware spreads via email operations, such as phishing.

 

The SpyNote spyware operators disseminate the malware through phishing or smishing attacks. The attackers execute their malicious activities using a mix of RAT capabilities and vishing campaigns.

A couple of months ago, researchers noticed a surge of targeted campaigns of spyware operators against numerous European customers of different financial institutions.

The researchers added that they have been closely observing this rising spyware infection trend affecting banks. These malware strains are dangerous to banking firms since they could pose as legitimate banking applications.

Further research stated that the spyware infection commonly starts with a luring SMS message that urges users to install a new accredited banking application. Next, the lure will redirect users to a fake TeamViewer app for technical remote support services. However, attackers commonly use such tactics to access a targeted device remotely.

The SpyNote spyware’s primary feature exploits the Accessibility services to accept other permission popups and execute keylogging capabilities automatically. Furthermore, the spyware could access essential data like installed apps, text inputs, and app properties by tracking user activities.

Unfortunately, the actors could use these details to steal sensitive banking credentials if they have successfully executed their tracking process and recorded necessary information.

Threat analysts also added that SpyNote could intercept SMS messages, which could harm users needing two-factor authentication codes (2FA). Then, the actors could send the intercepted messages to an attacker-controlled command-and-control server.

These actions could allow the attackers to avoid the extra layer of cybersecurity employed by financial companies. SpyNote could record screens, enabling its operators to take note of the information and gain more control over its targets.

Finally, the spyware adopts several defence evasion tactics, like anti-emulator controls, code obfuscation and prevention of manual removal by obfuscating the app icon to avoid detection and analysis.

These details show the threats posed by SpyNote. Users should refrain from engaging in unwanted emails or notifications since it could be a phishing or smishing campaign from cybercriminals that want to infect users with their malicious payloads.