An updated version of the SpyNote Android malware is being deployed at high speeds, researchers have claimed.
SpyNote (also known as SpyMax) was an Android malware whose latest version, called CypherRat, was being distributed exclusively through private Telegram channels, for a price. The tool offered a wide variety of features, including remote access, GPS tracking, and device status and activity updates, but also account theft for banking apps.
Experts have attributed the sudden spike to the malware being released for free on GitHub and being picked up by countless threat actors, who are now targeting banks such as HSBC and Deutsche Bank, as well as releasing as fake WhatsApp, Facebook, and other apps on the Google Play Store.
The original authors were thought to be selling the malware from August 2021 until October 2022, but after a number of scam incidents, where fraudsters impersonated the project and sold bogus programs, the authors posted the source code on GitHub.
Subsequently, the source code was arguably picked up by countless threat actors, resulting in a spike in infections. Analysts from ThreatFabric, who’ve been keeping an eye on CypherRat, believe the infections could grow even larger in the coming weeks and months.
Besides the above-mentioned features, ThreatFabric has found CypherRat being capable of using the camera API to record and send videos from the compromised endpoints, sharing GPS and network location tracking data, stealing Facebook and Google account credentials, extracting Google Authenticator codes, and keylogging.
To become operational, SpyNote needs to be given access to the Android Accessibility Service, which is still the best way to know if an app is malicious or not.
The researchers are yet to determine the exact distribution channels, but it’s most likely that CypherRat is being spread through phishing sites and third-party Android app repositories.
Via: BleepingComputer (opens in new tab)