SpyNote is a family of dangerous Android malware, first sold on the dark web in 2021. After the source code was leaked in 2022, multiple variants came in circulation. The latest of these variants is targeting specifically financial institutions, such as HSBC, Deutsche Bank, Kotak Bank, BurlaNubank and Bank of America.
SpyNote is an Android spyware that abuses the accessibility services developed for people with disabilities. It detects what happens on screen and performs malicious actions accordingly. Once the application is installed and the accessibility permission is granted, the spyware uses it to accept other permissions automatically. This way, cybercriminals behind the spyware gain access to anything on the device: users’ SMS messages, call logs, contacts, GPS location, filles, photos, camera, microphone...
We recently observed that a new version of SpyNote shows advanced capabilities similar to banking malware. It is set up to perform a two-step attack, in which the second step consists in stealing banking details. To do so, it accesses the list of applications installed on users’ devices and prompts them to install a fake version of the banking application they use. It then uses keylogging and 2FA grabbing techniques to steal users’ credentials.
Nowadays, almost all banks use strong customer authentication to confirm a money transaction. But since hackers using SpyNote have full access over infected devices, they are capable of bypassing two-factor authentication. When the security code is generated by an authentication application or sent via SMS message or email, they intercept it.
SpyNote uses different defense evasion techniques, such as obfuscation, junk code and anti-emulator controls to prevent it from being launched and analyzed within an emulator or sandbox by security analysts. When the attack is successful, stolen information is monetized on the dark web and / or is used to commit banking fraud.
Financial institutions have been the main target of SpyNote in the last few months, with banks being targeted in the United Kingdom, Germany, India and America. Additionally, hackers also focus on essential services operators. Recently, Japanese users were targeted with a SpyNote attack posing as power or water suppliers. Using vital organisations creates a sense of urgency for the victim and makes them more susceptible to act immediately.
In addition to pirates, who obviously risk prosecution, in the future this could also be the case for companies whose apps are counterfeited. The European NIS2 directive, which goes into effect in 2024, stipulates that mobile applications and services must be protected. It recommends detecting system vulnerabilities, carrying out intrusion tests and security audits. An application that can be easily cloned and therefore used in cyberattacks could result in a penalty for the company.
Now more than ever, mobile applications should never be published without prior validation of their security, especially in sectors where the data handled is sensitive.
To assist companies, Pradeo offers a toolbox for controlling the confidentiality and security of mobile applications throughout their lifecycle, from development to operations.
Pradeo's automated mobile application compliance audit tool enables you to:
Pradeo's complementary AppSec tools enable application security managers to: