Cyfirmma conducted an analysis of a malicious Android application intended for attacks on valuable assets in South Asia. The sample was created using the Spynote remote administration tool. It is assumed that objects of interest to APT groups could be the goal. Details about the victims and specific regions are not disclosed.
The malicious application was found to spread through WhatsApp. The victim sent four options for the name “Best Friend,” “Best-Friend 1,” “Friend,” and “Best”. All applications had one control server. Programs were silently installed and began to work in the background, using obfuscated code.
Spynote utilizes a number of permissions to access key data on the device, including geolocation, contacts, SMS, device memory, and camera. Additionally, the application can intercept calls, collect system data, and even utilize special system capabilities to monitor the screen and input text.
The malicious code aimed to collect data such as IMEI numbers, SIM card information, Android version, and network type. The data collected were immediately sent to the control server. Furthermore, the application captured screenshots and copied user data such as contacts, messages, and photographs.
Spynote and its variations, including Spymax and Crax Rat, are actively utilized by hackers and APT groups like Oilrig (APT34) and APT-C-37. These tools assist attackers in spying on communications, stealing data, and maintaining access to victim systems.
Previous incidents involving Spynote targeted government institutions, NGOs, media, and financial organizations. The current case suggests the possible involvement of an unknown APT group or other cybercrime entity.
Spynote remains a significant threat due to its availability on underground forums and Telegram channels. Attacks using this tool highlight attackers’ preference for reliable and powerful tools to compromise high-profile targets.