According to a report by cyber security company F-secure, this malware is primarily distributed through SMS phishing campaigns.The report also notes thatSpyNote utilises attack chains that deceive potential victims into installing the app by asking them to click on an embedded link.
Apart from seeking permissions for call logs, cameras, SMS messages and external storage access, SpyNote can also turn out to be dangerous because of its ability to hide its presence both on the Android home screen and in the Recents screen. This makes it more challenging for systems to detect the malware.
How hackers are using this Android trojan
In a published analysis, F-Secure researcher Amit Tambe claims: “The SpyNote malware app can be launched via an external trigger. Upon receiving the intent, the malware app launches the main activity.”
The malware mainly asks for accessibility permissions and then misuses them to grant itself additional permissions to record audio and phone calls, log keystrokes, as well as capture screenshots of the phone via the MediaProjection API.
A closer examination of the malware has also revealed the presence of diehard services. These services aim to resist attempts made to terminate it, either made by the victims or by the operating system.
This is accomplished by registering a broadcast receiver which is designed to restart the malware automatically whenever it is about to be shut down. Moreover, users who attempt to uninstall the malicious app by navigating to Settings are stopped from doing so as it keeps closing the menu screen via its abuse of the accessibility APIs.
Tambe also notes: “The SpyNote sample is spyware that logs and steals a variety of information, including keystrokes, call logs, information on installed applications, and so on. It stays hidden on the victim’s device making it challenging to notice. It also makes uninstallation extremely tricky. The victim is eventually left only with the option of performing a factory reset, losing all data, thereby, in the process.”