Malware

Android.SpyMax

Android.SpyMax is an Android banking trojan family that Dr.Web describes as being based on leaked source code of the SpyNote RAT/spyware trojan. The malware supports remote control of infected Android devices and has been used in multiple scenarios, including banking-trojan operations. Reported banking functionality includes phishing-style behavior associated with Android banking malware, and the family was specifically tracked by Dr.Web as Android.SpyMax banking trojans. Dr.Web reported that Android.SpyMax activity declined in some 2025 reporting periods, including a 17.25% decrease in detections in Q3 2025, and was described as less active in later reporting. Some Android.SpyMax samples or versions were noted as being protected with obfuscation/packing detected as Android.Packed.57.origin. High-confidence context directly ties Android.SpyMax to Android devices, banking-trojan use cases, SpyNote-derived code, remote device control capability, and use of obfuscation in at least some variants.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

news drweb comNews

Apr 1, 2026

Dr.Web - Doctor Web’s Q1 2026 review of virus activity on mobile devices

Named banking trojan referenced as being protected by an obfuscator in some versions.

news drweb comNews

Jan 15, 2026

Dr.Web - Doctor Web’s review of virus activity on mobile devices in 2025

SpyNote-derived Android RAT/spyware family used in multiple criminal scenarios, including banking fraud.

news drweb comNews

Jan 15, 2026

Dr.Web - Doctor Web’s virus activity review for 2025

Android banking trojan family referenced as decreasing in activity during 2025.

news drweb comNews

Jan 15, 2026

Dr.Web - Doctor Web’s virus activity review for 2025

Android banking trojan family referenced as less active in 2025 compared to prior periods.

+3 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.