SpyNote

SpyNote is an Android remote access trojan (RAT) / spyware family, also referred to in the content as SpyMax and noted as the basis for Android.SpyMax. It is used to provide extensive remote control and surveillance over infected Android devices. Reported capabilities include collection of precise location data, contacts, SMS messages, call information and call logs, device identifiers and SIM/IMSI data, files, screenshots, and installed-app information; camera access; ambient audio recording; accessibility-enabled on-screen monitoring and keystroke logging; overlay-based credential phishing; SMS interception including banking OTP theft; SMS sending; dynamic code loading; and abuse of device administrator privileges for persistence and to hinder removal. The content also notes use of raw TCP sockets for command-and-control, reflection to evade static analysis, SharedPreferences to store C2 configuration and tokens, and anti-analysis/emulator-detection behavior.

Observed infection and delivery vectors in the content are malicious Android APKs disguised as legitimate apps, including fake utility or messaging apps, WhatsApp-delivered payloads, Facebook-promoted fake apps, and phishing pages or fake app lures. One analyzed sample disguised as "GoosApp" (package elimination.kitchen.secured) was identified with high confidence as SpyNote/SpyMax and requested numerous dangerous permissions including RECORD_AUDIO, ACCESS_FINE_LOCATION, READ_SMS, SEND_SMS, READ_CALL_LOG, SYSTEM_ALERT_WINDOW, CAMERA, READ_CONTACTS, storage access, and device-admin-related capabilities. VirusTotal detections in the content labeled such samples as trojan.spymax/spynote, and YARA matches highlighted dynamic DEX loading, premium-rate SMS fraud, and emulator checks.

The malware has been associated in the content with multiple campaigns and threat contexts. CYFIRMA described a targeted attack against high-value individuals in Southern Asia using SpyNote-generated Android payloads delivered via WhatsApp and attributed it to an unknown threat actor, while noting prior use of SpyNote by groups including OilRig (APT34), APT-C-37, and OilAlpha. ESET documented a BladeHawk campaign active since at least March 2020 targeting the Kurdish ethnic group via Facebook-distributed Android backdoors including SpyNote. Volexity identified likely related SpyNote-based Android APKs in a broader Storm Cloud campaign targeting Tibetan individuals and organizations. The content also states SpyNote-based campaigns have targeted government agencies, NGOs, media organizations, financial institutions, activists, and Android users more broadly, and that spyware growth on Android was significantly driven by SpyNote.

High-confidence indicators and artifacts directly mentioned in the content include the C2 IP 182.191.122.219 from one CYFIRMA-reported campaign; SHA-256 hashes 8AA1A66E03596C0EBA6F91FB081DDB4081F43B02D421E069C6BE8BBF5D399B89, 0552137AAA2C9419C8843D50BCB15A4C80913ED47EB71C5E5AB9B5AC257944ED, 6127DAF756865EE089BA83EFDADEBDA2C047026A698759DE09127D0DFE630E8D, and A70089301FF628F09B90B269F6E8F5C6B5AE0B3073028ABCC62FEC9D2F1C954C from that campaign; and for the GoosApp SpyNote/SpyMax sample, SHA-256 7129d6c57182f4e53a4fd0f6aac15de30ffc5bfa34bc639a19ee39d2856b3c07, MD5 b2c5e29222f57cf91d30d37b8ec54cc3, package name elimination.kitchen.secured, certificate SHA-256 465983f7791f2abeb43ea2cbdc7f21a8260b72bc08a55c839fc1a43bc741a81e, receiver elimination.kitchen.AdminReceiver, and accessibility service gdflvwzqcjwsyigjsmgjolyskkyyhnfrhdsyyrxpmdzmoavvhj6nSsAP24. The content also notes that SpyNote C2 servers and phishing pages have been hosted on Proton66 / related infrastructure.