Spynote is a Remote Access Trojan that initially surfaced in 2020. Since then, it has grown into one of Android's most common malware families, with multiple samples, integration of other RATs (e.g., CypherRat), and a large family of over 10,000 samples. There are numerous variants and integrations of other RATs, and since 2023, there has been a growing interest in financial institutions.
On 1 February 2024, analysts found a malicious sample posing as a legitimate crypto wallet that included the SpyNote RAT with several exciting additions related to anti-analysis and cryptocurrencies.[1]
|
Affected Platform: Android Impacted Users: Android users with mobile crypto wallet or banking applications Impact: Financial Loss Severity Level: Medium |
Accessibility API for Crypto Wallet injections - Like much Android malware today, this malware abuses the Accessibility API. This API is used to perform UI actions automatically. For example, the malicious sample uses the Accessibility API to record device unlocking gestures. Newer, this SpyNote sample uses the Accessibility API to target famous crypto wallets.
The following code recognizes the use of a legitimate crypto wallet and displays an overlay over it.
The injected overlay consists of a WebView whose HTML is hard-coded in Base64.
One gets an HTML page for cryptocurrency transfers if we decode the overlay. Notice that the page initiates a transfer between 2 hard-coded fake wallets. See below: the “…” between the alleged wallet addresses are precisely as in the code (note that we censored the complete addresses). For the malware analyst, it’s obvious they are fake. However, it is likely the victim won’t notice because (1) the wallet identifiers always have many characters and are therefore difficult to verify, and (2) this will look as if it were displayed by the victim’s legit crypto wallet application (in reality, it is displayed over the real crypto wallet app, but this is not detectable).
In addition, the malicious code uses the Accessibility API to fill out a form automatically and transfer a given amount of cryptocurrency to the cybercriminals. Precisely, the code performs the following tasks:
- Reads and memorizes the destination wallet address (field input_value)
- Reads and memorizes the amount (field input_general_amount)
- Modifies the destination address and replaces it with the attacker’s crypto wallet address (initializeService.usdtadress). The remote server sends this address the malware communicates with.
- Clicks on Max (action_max). This option requests to send the full amount, not a portion.
- Clicks on the Next/Continue button
These operations are performed automatically through the Accessibility API without the user’s intervention.
Permissions for the Accessibility API - To gain access to the Accessibility API, all malware lure victims one way or another into giving them the necessary rights. This sample follows the same strategy. Analysts remind end-users that they should never do this. While apps rightfully request the Accessibility API to help people with disabilities, they should always be treated as highly suspicious coming from alleged crypto wallets, PDF Readers, Video Players, etc. The 2 screenshots below show (1) the SpyNote malware requesting Accessibility Service and (2) how, when you grant the desired access, the Android OS displays an additional warning window explaining the risks. It is still possible at that point to click on “Deny,” and the malware won’t gain access.
Unfortunately, once the victim clicks on “Allow,” it is basically “game over” because the malware can navigate, click, read, and modify any application.
Anti-analysis - Besides injecting crypto wallets, the sample features an attractive, simple, but efficient anti-analysis technique. Analysts remind users that Android Packages (APK) are ZIP files and usually contain a Dalvik executable (classes.dex), a manifest (AndroidManifest.xml), resources, and assets. In this particular case, the sample is malformatted: several resource files are meant to be present in the subdirectories of classes. dex and AndroidManifest.xml.
But classes.dex and AndroidManifest.xml are files, not directories. Consequently, standard unzip tools fail with many errors, which complicates the automated analysis of the sample.
Conclusion - After a growing interest in financial institutions, this new Android/SpyNote sample shows that malware authors are now considering cryptocurrencies. The malware's capabilities are beyond mere spying of credentials as they can initiate cryptocurrency transfers.
As for anti-analysis, while the implemented technique is simple and by-passable by a human analyst, it certainly defeats—or complicates—automated analysis, giving the malware author a little more time before detection. Our products detect The sample automatically, and we urge Android users to pay particular attention to any application requesting the Accessibility API.
IOCs
|
File |
Hash |
Detection |
|
Imtoken.apk |
SHA1: 8eea235b26fadeecd0f817433c97747853c51a24 |
Android/SpyNote.F!tr |
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology. For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://www.fortinet.com/blog/threat-research/android-spynote-moves-to-crypto-currencies?lctg=141970831
Comments