SpyMax, an Android malware family, has seen a sharp increase in detections during the last quarter of 2022. This is due to a leak in its source code, known as CypherRat.
“CypherRat” combined SpyNote spying capabilities (such as remote access and GPS tracking and status and activity updates) with banking trojans that mimic banks to steal account credentials.
CypherRat sold through private Telegram channels between August 2021 and October 2022. After a series of fraudulent incidents that took place on hacking forums, its author decided to make its source code public on GitHub.
The malware source code was quickly stolen by threat actors who launched their own campaigns. Almost instantly, customized variants were created that attacked reputable banks such as HSBC or Deutsche Bank.
Other actors also chose to disguise their CypherRat versions as Google Play and WhatsApp in order to reach a larger audience.
observed this activity and warned about CypherRat’s potential spread.
SpyNote features for malware
SpyNote’s various variants rely on accessing Android’s Accessibility Service. This allows them to download new apps, listen to calls and intercept SMS messages for 2FA bypass.
ThreatFabric lists these features as “standouts”:
- You can use the Camera API for recording and sending videos to the C2 server.
- Location tracking data for GPS and networks
- You can steal your Google and Facebook account credentials.
- To extract codes from Google Authenticator, use Accessibility (A11y).
- To steal bank credentials, you can use keylogging enabled by Accessibility Services.
SpyNote’s latest version uses string obfuscation to hide the malicious code. Commercial packers are used to package the APKs.
SpyNote also exfiltrates information to its C2 servers using base64, which hides the host.
CypherRat is currently used by threat actors as a banking trojan. However, the malware can also be used in low volume targeted espionage operations as spyware.
ThreatFabric is convinced that SpyNote continues to pose a threat for Android users. ThreatFabric estimates that different forks will emerge as we move deeper into 2023.
ThreatFabric does not know how the malicious apps are distributed. However, it is likely that they spread via phishing websites, third-party Android application sites and social media.
Users are advised to exercise caution when installing new apps from other sources than Google Play and to reject any requests for access to the Accessibility Service.
Despite Google’s stop Android malware from abusing Accessibility Service APIs, there is still these restrictions.