Android Spyware SpyNote Targets European Bank Customers in an Aggressive Campaign

The ongoing threat campaign against financial institutions saw the entry of SpyNote spyware, an Android banking trojan. Active since the end of 2022, the trojan was observed to be carrying out bank frauds as well.

Cleafy’s security researchers revealed that the spyware, also dubbed SpyMax, exploits various Accessibility services and Android permissions to carry out malicious attacks against its victims.

The trojan known for its spyware and phishing capabilities is distributed through fake SMS messages (smishing) and a combination of its remote access trojan (RAT) capabilities and phishing tactic is used to execute multiple fraudulent activities.

This campaign against multiple European bank customers was witnessed to be most prevalent around the months of June & July 2023.

The Italian cybersecurity company in an advisory noted that the infection chain primarily begins with a bogus SMS message urging its victims to click the accompanying URL to install the certified banking app. A second message redirects the victims to a seemingly legitimate TeamViewer QuickSupport app, which is used to remotely access the victim’s device.

Once installed, the trojan tracks various user activities and harvests sensitive information from the target’s device including, keystrokes, installed applications, text inputs, GPS location, audio and screen recordings, contacts, SMS messages to bypass two-factor authentication (2FA). With this information, the attacker can easily steal banking and other financial credentials from the host’s device.

Moreover, to avoid detection, the spyware utilizes various techniques like, anti-emulator controls, obfuscation and junk codes, as well as it hides itself, so the user is unable to manually remove it from the device.

The advisory also noted that unlike other banking trojans, SpyNote is one of the most aggressive campaigns observed in recent years. Moreover, its multiple functionalities will make it one of the choice vectors used by threat actors to launch bank fraud activities.

With the rising phishing and smishing campaigns, it is imperative that both individuals and organizations remain vigilant and employ different security measures to thwart such fraud attempts.