Since June, a surge of SpyNote infections targeting banking applications has been reported. A new version of the spyware distributed through email phishing or smishing (by SMS) campaigns is now specifically designed to commit banking fraud.
SpyNote is a family of dangerous Android malware, first sold on the dark web in 2021. After the source code was leaked in 2022, multiple variants came in circulation. The latest of these variants is targeting specifically financial institutions, such as HSBC, Deutsche Bank, Kotak Bank, BurlaNubank and Bank of America.
How SpyNote works
SpyNote is an Android spyware that abuses the accessibility services developed for people with disabilities. It detects what happens on screen and performs malicious actions accordingly. Once the application is installed and the accessibility permission is granted, the spyware uses it to accept other permissions automatically. This way, cybercriminals behind the spyware gain access to anything on the device: users’ SMS messages, call logs, contacts, GPS location, filles, photos, camera, microphone...
We recently observed that a new version of SpyNote shows advanced capabilities similar to banking malware. It is set up to perform a two-step attack, in which the second step consists in stealing banking details. To do so, it accesses the list of applications installed on users’ devices and prompts them to install a fake version of the banking application they use. It then uses keylogging and 2FA grabbing techniques to steal users’ credentials.
Nowadays, almost all banks use strong customer authentication to confirm a money transaction. But since hackers using SpyNote have full access over infected devices, they are capable of bypassing two-factor authentication. When the security code is generated by an authentication application or sent via SMS message or email, they intercept it.
SpyNote uses different defense evasion techniques, such as obfuscation, junk code and anti-emulator controls to prevent it from being launched and analyzed within an emulator or sandbox by security analysts. When the attack is successful, stolen information is monetized on the dark web and / or is used to commit banking fraud.
Banks and operators of essential services directly targeted
Financial institutions have been the main target of SpyNote in the last few months, with banks being targeted in the United Kingdom, Germany, India and America. Additionally, hackers also focus on essential services operators. Recently, Japanese users were targeted with a SpyNote attack posing as power or water suppliers. Using vital organisations creates a sense of urgency for the victim and makes them more susceptible to act immediately.
In addition to pirates, who obviously risk prosecution, in the future this could also be the case for companies whose apps are counterfeited. The European NIS2 directive, which goes into effect in 2024, stipulates that mobile applications and services must be protected. It recommends detecting system vulnerabilities, carrying out intrusion tests and security audits. An application that can be easily cloned and therefore used in cyberattacks could result in a penalty for the company.
How to protect mobile applications
Now more than ever, mobile applications should never be published without prior validation of their security, especially in sectors where the data handled is sensitive.
To assist companies, Pradeo offers a toolbox for controlling the confidentiality and security of mobile applications throughout their lifecycle, from development to operations.
Take stock of current security
Pradeo's automated mobile application compliance audit tool enables you to:
- Obtain a compliance analysis in just a few clicks, integrating data protection laws and customizable criteria.
- See immediately whether the application handles personal data
- Precise detection of data manipulation by an application and its libraries, specifying whether it is used locally, sent off-device, modified or deleted. This information is completed by the location where the data is stored or sent, if applicable.
- Identify libraries with hidden behaviors and vulnerabilities.
- Identify risks to be remedied before an application is released.
- Justify application security work by showing a compliant audit result.
Remediate vulnerabilities and protect against external attacks
Pradeo's complementary AppSec tools enable application security managers to:
- Continuously identify and remediate application vulnerabilities right from the development stage
- Strengthen application code to prevent theft or cloning
- Monitor mobile applications as they are used, to detect and respond to external threats
- Detect counterfeit applications attempting to connect to an organization's server while pretending to be legitimate
