Fake Google Play Pages Spread SpyNote Malware To Android Users

A newly discovered Android malware campaign is distributing the powerful SpyNote Remote Access Trojan (RAT) by mimicking Google Play Store pages on deceptive websites.

Security researchers at Infosecurity say the campaign uses recently registered domains to trick users into downloading infected apps disguised as popular software.

The fake pages closely resemble genuine Google Play listings, with image carousels, “Install” buttons, and traces of code referencing TikTok’s Android app. When users click to install, malicious JavaScript triggers an automatic download of a booby-trapped APK file.

Once installed, the APK executes a hidden function that drops a second APK containing the core SpyNote payload. This malware connects to command-and-control (C2) servers using hardcoded IP addresses embedded in its code, enabling remote access and surveillance.

SpyNote grants attackers sweeping control over infected devices. Its features include intercepting calls and SMS, accessing contacts, recording phone calls, logging keystrokes, activating the camera and mic, and tracking GPS location.

The malware can also install other apps, lock or wipe devices, and prevent removal by abusing Android’s accessibility services.

“SpyNote is notorious for its persistence, often requiring a factory reset for complete removal,” warned researchers at DomainTools, who uncovered the campaign, as reported by Infosecusiry.

Clues in the malware and delivery infrastructure suggest a possible link to China. The malware contains Chinese-language code and uses Chinese-hosted distribution platforms.

Infosecurity notes that while no definitive attribution has been made, SpyNote has previously been associated with espionage campaigns against Indian defense personnel and with advanced threat groups like APT34 and APT-C-37.

This discovery follows a wave of similar Android-targeted threats, including the recent ToxicPanda malware that targeted banking apps. Security experts recommend avoiding third-party app downloads and relying only on trusted app stores.