SpyNote is emerging as a new threat to Android users, with cybercriminals operating fake websites hosted on newly registered domains that masquerade as Google Play Store pages for popular apps like Chrome.
These fake websites trick victims into installing SpyNote, a malicious remote access trojan (RAT) aimed for data theft, spying, and unauthorised device control. Attackers exploit consumer trust by creating remarkably convincing replicas of authentic Chrome installation screens, effectively luring victims into unknowingly infecting their own devices.
In May 2024, analysts at mobile‑security firm Zimperium spotted code overlaps between SpyNote and another RAT known as Gigabud, suggesting a shared author or group behind both variants.
According to a report by the DomainTools Investigations (DTI) team:
The threat actor utilized a mix of English and Chinese-language delivery sites and included Chinese-language comments within the delivery site code and the malware itself.
The Chinese-speaking threat actor “GoldFactory” has been linked to Gigabud, while SpyNote has been used in campaigns by advanced APTs including OilRig (APT34), Pat-Bear (APT-C-37), and the less well-known OilAlpha. This overlap in activity highlights the RAT’s flexibility to both focused surveillance operations and more general cybercrime activities.
SpyNot, MOONSHINE & BadBazaar: The New Triad of Mobile Espionage
SpyNote (SpyMax) is a sophisticated Android remote-access trojan (RAT) that has resurfaced on fraudulent websites. These clone sites duplicate Google Play’s familiar style, loaded with an image carousel, to trick visitors into downloading a malicious APK.
At first look, the sites appear legitimate, but each carousel image actually triggers the download of a dropper APK. This dropper makes use of the Android DialogInterface when it is executed.The whole SpyNote RAT is installed as a second payload using the OnClickListener hook.
SpyNote uses Android’s accessibility services to give attackers complete control over the device after it has been installed. It quietly harvests contact information, SMS messages, phone logs, and exact location data.
Simultaneously, it gains access to stored files, activates cameras and microphones at will, and intercepts calls. SpyNote is one of the most serious mobile threats available because of its keystroke-logging module, which automatically gathers usernames and passwords from any app.
The malware conceals its command-and-control (C2) logic in a base.dex file within the app’s assets folder. This file contains all connection configurations. All C2 domains communicate over port 8282, with some variants even hardcoding the IP address 66.42.63.74, ensuring persistent communication with attacker-controlled servers.
Lookout recorded well over four million mobile social engineering attacks in 2024 alone. Out of those, 1.6 million apps displayed serious vulnerabilities, and 427,000 malicious apps compromised corporate devices.
In February 2024, cybersecurity agencies from Australia, Canada, Germany, New Zealand, the United Kingdom and the United States issued a joint advisory. Authorities issued a warning that two spyware trojans, MOONSHINE and BadBazaar, are targeting the Tibetan, Taiwanese, and Uyghur communities.
Targets of the campaign include:
- NGOs, journalists, businesses and civil‑society advocates for these communities.
- Anyone downloading apps disguised as messaging, utility or religious applications.
This advanced campaign highlights the growing risks in the mobile threat landscape and underscores the need for users to remain vigilant—even when using seemingly trustworthy apps. Always verify that you’re on the official Google Play domain, check app certificates for legitimate developer signatures, and only download from trusted sources such as Google Play or the Amazon Appstore.
Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology, you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks.
