Analysts from the IB company F-Sesure conducted a deep analysis Android-trojan Spynote and discovered its extensive capabilities for collecting confidential information.
The distribution of Spynote typically occurs through phishing campaigns, in which attackers convince victims to follow a link via SMS and install the application. During installation, Spynote requests access to the call log, camera, SMS messages, and external storage, cleverly hiding its presence on the Android start screen and recent apps screen to make detection difficult.
Researchers found that Spynote can be activated through an external trigger. Upon receiving a signal, the malicious application triggers its main activity.
Spynote is notable for obtaining permissions and then leveraging them to automatically acquire additional rights, such as recording audio and phone calls, logging keystrokes, and capturing screenshots through the MediaProjection API.
A more thorough analysis of the malware revealed the presence of “Diehard” services, which protect the application from termination attempts by the victim or the operating system.
To maintain its stability, the Spynote trojan registers a broadcast receiver that automatically restarts the malicious activity when an attempt is made to terminate it. Furthermore, when a user tries to remove the malicious application through the settings menu, the menu automatically closes using the API. The only solution to this problem is to perform a factory reset, resulting in the loss of all data on the device.