Caught in the Act: Uncovering SpyNote in Unexpected Places

June 23, 2025, 11:15 p.m.

Description

Multiple samples of SpyNote, a sophisticated Android spyware, were discovered in open directories, disguised as legitimate apps like Google Translate, Temp Mail, and Deutsche Postbank. The malware exploits accessibility services and device administrator privileges to steal sensitive information from infected devices. Samples were found on various servers, including AWS and SonderCloud Limited, with different command and control (C2) infrastructures. The discovery highlights the ongoing threat of SpyNote, especially after its source code leak in late 2022, and emphasizes the importance of proactive threat detection and analysis.

External References

https://hunt.io/blog/caught-in-the-act-uncovering-spynote-in-unexpected-places
https://otx.alienvault.com/pulse/6855b5cab3eba6db222aa167
Tags
android
spyware
spynote
data exfiltration
c2 infrastructure
open directories
accessibility services
2025-06-20
device administrator
malicious apps

Date

  • Created: June 20, 2025, 7:26 p.m.
  • Published: June 20, 2025, 7:26 p.m.
  • Modified: June 23, 2025, 11:15 p.m.

Indicators

  • 255c61326c9d4fc198bc562049f4f5ba82a89a1ab71487876ee8f1bff125aee7
  • 5.252.74.45
Download all indicators here!

Additional Informations

  • Finance
  • Germany