Newly Registered Domains Distributing SpyNote Malware

April 16, 2025, 1:20 p.m.

Description

Cybercriminals are employing deceptive websites on newly registered domains to distribute AndroidOS SpyNote malware. These sites imitate the Google Chrome install page on the Google Play Store, tricking users into downloading SpyNote, a powerful Android remote access trojan. SpyNote is used for surveillance, data exfiltration, and remote control of infected devices. The investigation uncovered multiple domains, IP addresses, and APK files associated with this campaign. The malware utilizes various C2 endpoints for communication and data exfiltration, with functions designed to retrieve and manipulate device information, contacts, SMS, and applications.

External References

https://dti.domaintools.com/Newly-Registered-Domains-Distributing-SpyNote-Malware/
https://raw.githubusercontent.com/DomainTools/SecuritySnacks/refs/heads/main/2025/SpyNote-GooglePlayStore
https://otx.alienvault.com/pulse/67feb504b76dd387be73309b
Tags
rat
phishing
android
spynote
remote access
keylogging
data exfiltration
spymax
google play store
2025-04-10
apk dropper
androidos
2025-04-15

Date

  • Created: April 15, 2025, 7:35 p.m.
  • Published: April 15, 2025, 7:35 p.m.
  • Modified: April 16, 2025, 1:20 p.m.

Attack Patterns

  • SpyNote