SpyNote RAT

12386253501?profile=RESIZE_400xSpynote is a Remote Access Trojan that initially surfaced in 2020.  Since then, it has grown into one of Android's most common malware families, with multiple samples, integration of other RATs (e.g., CypherRat), and a large family of over 10,000 samples. There are numerous variants and integrations of other RATs, and since 2023, there has been a growing interest in financial institutions.

On 1 February 2024, analysts found a malicious sample posing as a legitimate crypto wallet that included the SpyNote RAT with several exciting additions related to anti-analysis and cryptocurrencies.[1]

Affected Platform: Android

Impacted Users: Android users with mobile crypto wallet or banking applications

Impact: Financial Loss

Severity Level: Medium

Accessibility API for Crypto Wallet injections - Like much Android malware today, this malware abuses the Accessibility API. This API is used to perform UI actions automatically.  For example, the malicious sample uses the Accessibility API to record device unlocking gestures. Newer, this SpyNote sample uses the Accessibility API to target famous crypto wallets.

The following code recognizes the use of a legitimate crypto wallet and displays an overlay over it.
12386256473?profile=RESIZE_710x

The injected overlay consists of a WebView whose HTML is hard-coded in Base64.

12386258077?profile=RESIZE_710x

One gets an HTML page for cryptocurrency transfers if we decode the overlay.  Notice that the page initiates a transfer between 2 hard-coded fake wallets.  See below: the “…” between the alleged wallet addresses are precisely as in the code (note that we censored the complete addresses).  For the malware analyst, it’s obvious they are fake.  However, it is likely the victim won’t notice because (1) the wallet identifiers always have many characters and are therefore difficult to verify, and (2) this will look as if it were displayed by the victim’s legit crypto wallet application (in reality, it is displayed over the real crypto wallet app, but this is not detectable).

12386259259?profile=RESIZE_710x

In addition, the malicious code uses the Accessibility API to fill out a form automatically and transfer a given amount of cryptocurrency to the cybercriminals. Precisely, the code performs the following tasks:

  • Reads and memorizes the destination wallet address (field input_value)
  • Reads and memorizes the amount (field input_general_amount)
  • Modifies the destination address and replaces it with the attacker’s crypto wallet address (initializeService.usdtadress). The remote server sends this address the malware communicates with.
  • Clicks on Max (action_max). This option requests to send the full amount, not a portion.
  • Clicks on the Next/Continue button

12386259877?profile=RESIZE_710xThese operations are performed automatically through the Accessibility API without the user’s intervention.

Permissions for the Accessibility API - To gain access to the Accessibility API, all malware lure victims one way or another into giving them the necessary rights.  This sample follows the same strategy.  Analysts remind end-users that they should never do this.  While apps rightfully request the Accessibility API to help people with disabilities, they should always be treated as highly suspicious coming from alleged crypto wallets, PDF Readers, Video Players, etc.  The 2 screenshots below show (1) the SpyNote malware requesting Accessibility Service and (2) how, when you grant the desired access, the Android OS displays an additional warning window explaining the risks.  It is still possible at that point to click on “Deny,” and the malware won’t gain access.

12386259894?profile=RESIZE_584xUnfortunately, once the victim clicks on “Allow,” it is basically “game over” because the malware can navigate, click, read, and modify any application.

Anti-analysis - Besides injecting crypto wallets, the sample features an attractive, simple, but efficient anti-analysis technique. Analysts remind users that Android Packages (APK) are ZIP files and usually contain a Dalvik executable (classes.dex), a manifest (AndroidManifest.xml), resources, and assets. In this particular case, the sample is malformatted: several resource files are meant to be present in the subdirectories of classes. dex and AndroidManifest.xml.

12386260099?profile=RESIZE_710xBut classes.dex and AndroidManifest.xml are files, not directories. Consequently, standard unzip tools fail with many errors, which complicates the automated analysis of the sample.

Conclusion - After a growing interest in financial institutions, this new Android/SpyNote sample shows that malware authors are now considering cryptocurrencies.  The malware's capabilities are beyond mere spying of credentials as they can initiate cryptocurrency transfers.

As for anti-analysis, while the implemented technique is simple and by-passable by a human analyst, it certainly defeats—or complicates—automated analysis, giving the malware author a little more time before detection.  Our products detect The sample automatically, and we urge Android users to pay particular attention to any application requesting the Accessibility API.

IOCs

File

Hash

Detection

Imtoken.apk

SHA1: 8eea235b26fadeecd0f817433c97747853c51a24
SHA256: caac4681389b0af7998ba8fd2062d18050a0e5e8cb4c8d0006a1b3a921ee52c8

Android/SpyNote.F!tr

 

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has reported extensively on AI technology.  For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632

 

[1] https://www.fortinet.com/blog/threat-research/android-spynote-moves-to-crypto-currencies?lctg=141970831

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!