New Android Spyware Infiltrates Accessibility Access, Mimics Apps

New spyware targets Android smartphones and mimics generic, banking and social apps, creating a new trend for criminals.

  • New spyware targets Android phones (Reuters)
    New spyware targets Android phones (Reuters)

Since October, researchers have noticed a new type of spyware that specifically targets Android smartphones and impersonates banking apps from a number of major and respected financial institutions.

ThreatFabric researchers reported on January 5 that they saw a large spike in samples from the SpyNote malware family in October. They pointed out that the malware, also known as SpyMax, has the ability to remotely access, manage and modify device features and resources.

The SpyNote.C variant impersonated financial institutions including HSBC, Deutsche Bank, Kotak Bank, and BurlaNubank. However, spyware has gone beyond simply mimicking banking apps to also mimicking generic apps such as productivity and gaming apps, as well as other common and widely used apps such as WhatsApp, Facebook and Google Play.

The SpyNote.C variant, according to ThreatFabric researchers, was sold as “CypherRat” between August 2021 and October 2022, when the source code was made public via GitHub and its use began to become more visible.

SpyNote.C is capable of stealing and using personal identification information of online banking users, as well as tracking SMS messages, calls, videos and audio recordings. It can grab two-factor authentication codes, grab passwords from social media apps including Facebook and Gmail, and even extract passwords from other websites.

Researchers claim that by using Android’s accessibility services, SpyNote.C makes removal difficult and allows the virus to install updated versions of itself and other apps without user interaction .

ThreatFabric researchers have concluded that spyware can alter the way information is stolen, increasing the scope of the objective behind technological infiltrations. According to the researchers, “the potential start of a new trend, which will see a gradual disappearance of the distinction between spyware and banking malware, due to the power that the abuse of accessibility services gives to criminals”.

Read more: Israeli predator maker Intellexa in Athens raided after sales ban