Researchers claim that an updated version of the SpyNote Android malware is being deployed at high speed.
SpyNote (also known as SpyMax) is an Android malware whose latest version is called CypherRat and is only distributed for a fee through private Telegram channels. The tool offers a variety of capabilities, including remote access, GPS tracking, device status and activity updates, and account theft from banking apps.
Experts attribute the sudden surge to malware being released for free on GitHub and picked up by countless threat actors who are now targeting banks like HSBC and Deutsche Bank, and on the Google Play store.
The original author is believed to have sold the malware between August 2021 and October 2022, but after multiple scams in which fraudsters impersonated the project and sold fake programs, the author posted the source code on GitHub.
Subsequently, the source code was obtained by arguably numerous threat actors, leading to a surge in infections. ThreatFabric analysts who have been following CypherRat believe that the infection is likely to grow larger in the coming weeks and months.
In addition to the capabilities described above, ThreatFabric also discovered that CypherRat was able to use the camera API to record and send video from infected endpoints, share GPS and network location tracking data, steal Facebook and Google account credentials, extract Google Authenticator codes, and keyloggers.
To start working, SpyNote needs to gain access to the Android Accessibility Service, which is still the best way to know if an app is malicious.
Researchers have yet to identify the exact distribution channel, but CypherRat is most likely spread through phishing sites and third-party Android application repositories.
pass: Beep computer (opens in a new tab)