Affected Platform: AndroidImpacted Users: Android users with mobile crypto wallet or banking applicationsImpact: Financial LossSeverity Level: Medium.
It has grown into one of the most common families of malware for Android, with multiple samples, integration of other RATs, and a large family of over 10,000 samples.
On February 1st, we found a malicious sample posing as a legitimate crypto wallet that actually included the SpyNote RAT with several interesting additions related to anti-analysis and cryptocurrencies.
Like much Android malware today, this malware abuses the Accessibility API. This API is used to automatically perform UI actions.
The malicious sample uses the Accessibility API to record device unlocking gestures.
Newer, this SpyNote sample uses the Accessibility API to target famous crypto wallets.
The following code recognizes the use of a legitimate crypto wallet and displays an overlay over it.
For the malware analyst, it's obvious they are fake.
It is likely the victim won't notice because the wallet identifiers always have many characters and are therefore difficult to verify, and this will look as if it were displayed by the victim's legit crypto wallet application.
The malicious code uses the Accessibility API to automatically fill a form and transfer a given amount of cryptocurrency to the cybercriminals.
Reads and memorizes the destination wallet address Reads and memorizes the amount Modifies the destination address and replaces it with the attacker's crypto wallet address.
All of these operations are performed automatically through the Accessibility API without the user's intervention.
Permissions for the Accessibility API. To gain access to the Accessibility API, all malware lure victims one way or another into giving them the necessary rights.
While the Accessibility API is rightfully requested by apps to help people with disabilities, they should always be treated as highly suspicious coming from alleged crypto wallets, PDF Readers, Video Players, etc.
The 2 screenshots below show the SpyNote malware requesting Accessibility Service and how, when you grant the desired access, the Android OS displays an additional warning window explaining the risks.
Besides injections into crypto wallets, the sample features an interesting, simple, but efficient anti-analysis technique.
After a growing interest in financial institutions, this new Android/SpyNote sample shows that malware authors are now taking into account cryptocurrencies.
The capabilities of the malware are well beyond the mere spying of credentials as they can initiate cryptocurrency transfers.
As for anti-analysis, while the implemented technique is simple and by-passable by a human analyst, it certainly defeats-or complicates-automated analysis, giving the malware author a little more time before detection.
The sample is detected automatically by our products, and we urge Android users to pay particular attention to any application requesting the Accessibility API. Fortinet Protections.
This Cyber News was published on feeds.fortinet.com. Publication date: Thu, 15 Feb 2024 16:43:04 +0000