The evolution of Android RAT SpyNote continues

August 18, 2017

Code for the Android Remote Administration Tool (RAT) SpyNote was being distributed in underground forums in mid 2016. Since then multiple variants have surfaced with slight modifications but preserving the core functionality of SpyNote intact - which is spying on its victims.

Yet again a new variant has been spotted and according to few reports some of samples belonging to this new variant were available on Google Play and have been potentially installed by few users.

An overview of SpyNote

Spynote is an Android Remote Administration Tool (RAT) that aims at capturing sensitive data on the victim's device and sends it to the attacker. It is usually found advertised on underground forums as shown below, based on the descriptions on one such forum SpyNote is currently at version 4 (as per the below post on 4/30/2017):

A new variant

We received reports of a new campaign that has been spreading for a while that is heavily based off SpyNote. This variant carries most of the features of SpyNote, some of them are as listed below:

  • Read call logs
  • Call a number
  • Extract contact details from the device
  • List files present in different folders on the device
  • Record Audio
  • Delete an app from the device

Spying on the user is not the only only objective of this app, it makes the device vulnerable to further attacks. One of the commands is to initiate a download using a URL, this can be used to download additional malicious apps and further infect the device or use the device as a conduit for spreading other malicious campaigns

  • Initiate a download via URL

A major addition in the new variant is how he attacker communicates with the malware post infection. Commands are sent by the attacker which follow the code A[number] like A0,A1 and so on. For every such code there is a case which determines what the malware should do:

The output is displayed to the attacker using the format B[number] like B3, B4 followed by the data:

The code contains as many as 72 hardcoded commands.

Some similarities between earlier versions of Spynote and the current malware which strongly suggest ties between the two are:

  • The code structure and class names are similar
  • The focus is on extracting sensitive user information
  • All of the different versions however contain a string screamHacker

Android malware constantly evolves with modifications and addtions, we have seen that with a number of malware families. It is the same with SpyNote as well, similar to current changes we can expect more modifications from this malware family that improve the potency of this campaign.

SonicWall Capture Labs Threat Research team provides protection against this threat via the following signatures:

  • GAV: AndroidOS.SpyNote.SH (Trojan)
  • GAV: AndroidOS.SpyNote.BN (Trojan)