Researchers say that the updated version of the SpyNote malware for Android is being deployed at high speed.
SpyNote (also known as SpyMax) was Android malware whose latest version, called CypherRat, was distributed exclusively through private Telegram channels, for a fee. The tool offered a wide variety of features, including remote access, GPS tracking, and device status and activity updates, but also account theft in banking apps.
Experts attributed the surge to malware that was made available for free on GitHub and seized by countless cybercriminals who are now targeting banks such as HSBC and Deutsche Bank, and posting as fake WhatsApp, Facebook and other apps on the Google Play Store.
The original authors were supposed to sell the malware from August 2021 to October 2022, but after multiple scams where scammers impersonated the project and sold fake programs, the authors published the source code on GitHub.
Subsequently, the source code was probably intercepted by countless cybercriminals, resulting in a surge in infections. Analysts at ThreatFabric who have been watching CypherRat believe that infections may increase further in the coming weeks and months.
In addition to the aforementioned features, ThreatFabric discovered that CypherRat could use the camera API to record and send videos from compromised endpoints, share GPS and network location tracking data, steal Facebook and Google account credentials, mine Google Authenticator codes, and log keystrokes.
To start working, SpyNote needs access to the Android accessibility service, which is still the best way to check if an app is malicious or not.
Researchers have not yet determined the exact distribution channels, but most likely CypherRat spreads via phishing sites and third-party Android app repositories.
Through: Beeping Computer (opens in a new tab)