Squid Game themed Android malware hides SpyNote spyware

October 27, 2021

The series Squid Game has been a global phenomenon in the last few weeks and malware writers are using this popularity as a means to spread their malicious creations. We have started seeing numerous malicious Android apps use the name and icons of Squid Game. One of the highlights was SpyNote that has been masquerading as popular Android apps.

We have reported previously about the android spyware SpyNote that masquerades itself as popular applications. It uses the popularity of these apps to spread the infection and in this case its using the popularity of Squid Game to do the same.

 

  • Application Name: Squid Game Fake Call 1
  • Package Name: cmf0.c3b5bm90zq.patch
  • MD5: 785a9475c1088a798512ca6ab6d8b0f1

The app requests for a large number of suspicious permissions for a application that does ‘Fake Call’:

 

SpyNote requests for accessibility services and device admin privileges once installed and executed:

Spynote can install a legitimate apk present in the resources – res/raw/google.apk. It uses this to list a legitimate accessibility services entry when executed.

 

Upon execution the icon disappears from the app drawer but in the background the malware starts performing malicious actions. Few functionalities are listed below:

  • The app checks the applications installed on the device:

 

  • It uses hardcoded server address and port number and later communicates using sockets:

 

  • We identified multiple malicious apk’s that are linked to this campaign as they communicate with the same server, below VirusTotal graph highlights this:

 

  • It captures details about the device which can be used by the perpetrators to identify the victim and gather additional details. Following was identified:
    • Device manufacturer
    • Device model
    • OS version
    • SIM
    • Wifi
    • Bluetooth
    • Location

 

  • It has access to call logs and can make calls from the infected device:

 

SpyNote has been known to masquerade as popular Android apps. It is good at selecting trending topics and modifying the malware look and feel to mimic on such topics. We anticipate more malware writers to follow this trend and use the popularity of Squid Game to spread malware.

 

Sonicwall Capture Labs provides protection against multiple threats associated with this campaign using the signatures listed below:

  • AndroidOS.SpyNote.GN
  • AndroidOS.SpyNote.PT
  • AndroidOS.SpyNote.SP
  • AndroidOS.SpyNote.SC