Palo Alto Networks has published a blog by Jacob Soo identifying a new Android Trojan called SpyNote. The details are in a blog entitled: “SpyNote Android Trojan Builder Leaked.” The builder is now available in a number of underground forums. This raises the risk of a new wave of serious spyware hitting Android users.
What does SpyNote do?
The blog likens SpyNote to OmniRat and DroidJack. These are Remote Access Tools (RATs) that allow attackers to take control of a device. Unlike some RATs, Spynote does not require root access to the device. This means that it is easier for the hackers to install on devices. It copies its files from the device to the computer in order to protect itself and to spread. This means that a user with several Android devices only needs one successful attack to infect all their devices. For organisations that use Android-based devices and centrally administer them, there is a risk of a mass infection.
The primary targets of SpyNote are the microphone and camera on the device. These allow the attackers to listen and watch what the user is doing. This raises some serious risks for users who have devices in their bedrooms and hotel rooms. The spyware also captures the users last GPS location allowing hackers to know when the user was at home, the office, in a hotel room or with a customer. This means that they can be selective in what they capture. It could be they only want business data or they want information to blackmail their target.
Like other spyware, SpyNote will gather all messages and contacts from the device. This provides them with a wealth of data including security information. The use of 2-factor authentication (2FA) where codes are sent to devices is increasing. Spyware makes it possible for hackers to attack the users bank account, intercept the 2FA message and then log in as them.
The user has to be complicit
Like a lot of malware, there is a degree of the user being complicit for an attack to be successful. SpyNote requires the user to grant it a large number of permissions in order to work. This demand for excess permissions is not just a spyware/malware problem. It has become endemic among apps on mobile devices and social media. This creates a significant challenge for security teams when it comes to educating users as to what they should and should not allow on their devices.
Soo claims that there is no evidence of SpyNote attacks in the wild yet. All the current activity is in the forums around the builder. This will change quickly as we’ve seen with other malware attacks. Google has been cleaning up the Google Play Store and removing a lot of infected software. This may limit SpyNote infections but it doesn’t mean it won’t get through. The most likely approach will be in cloned versions of apps. We’ve seen this happen with Pokémon Go and new versions with embedded malware are still appearing.
It is not just games that are part of the problem here. A lot of cloud-based software offers users access to productivity and entertainment tools. It is relatively simple to create a new cloud site, offer a file sync and share service and immediately capture users. Another route is the use of coupon apps that pretend to act as a clearing house for other coupon programs. Users install them and may get access to some valid coupons. After a while a new version appears asking for extra permissions. The user downloads and installs it, accepting all the new requests for permissions because they see it as valuable and trusted.
Malware such as SpyNote is becoming more commonplace. For hackers the benefits are not just about stealing data but in listening to the lives of their victims. They may get a chance to blackmail the user or pick up sensitive business data such as financial data. Listening in to meetings where a company is discussing its results allows hackers to take share positions ahead of any announcements. Users need to think carefully about how they use their devices and consider turning them off when in sensitive meetings.