Official forum for Utopia Community

You are not logged in.

#1 2023-08-02 23:23:56

Registered: 2023-01-04
Posts: 1,974

Targeting European Bank Clients with SpyNote Android Trojan Campaign

An aggressive campaign discovered in June and July 2023 targets a variety of European customers of various banks with the Android banking trojan known as SpyNote.

Italian cybersecurity company Cleafy stated in a technical analysis published on Monday that "the spyware is distributed through email phishing or smishing campaigns and the fraudulent activities are executed with a combination of remote access trojan (RAT) capabilities and vishing attack.".

SpyNote, which is also known as SpyMax, is comparable to other Android banking Trojans in that it needs Android's accessibility permissions in order to obtain other crucial permissions and gather private information from infected devices. Due to its ability to both act as spyware and commit bank fraud, the malware strain stands out.

The attack chains start with a fake SMS message advising users to install a banking app by clicking on the link that appears with it. This links directs the victim to the real TeamViewer QuickSupport app that is available on the Google Play Store.

Security expert Francesco Iubatti claimed that "a number of [threat actors] have adopted TeamViewer to carry out fraud operations through social engineering attacks.". In particular, the assailant calls the victim and pretends to be a bank employee before carrying out fraudulent transactions on the victim's device. ".

The plan is to use TeamViewer as a conduit to get remote access to the victim's phone and covertly install the malware. SpyNote collects a variety of information, including SMS messages, keystrokes, screen captures, geolocation data, and keystrokes to get around SMS-based two-factor authentication (2FA).

Android Trojan SpyNote.
The revelation comes as the hacking group Bahamut has been connected to a fresh campaign that targets people in the Middle East and South Asia with the aim of installing a fake chat app called SafeChat that hides an Android malware called CoverIm.

Delivered to victims via WhatsApp, the app has features that are identical to those of SpyNote and asks for access permissions and other permissions to collect call logs, contacts, files, location, and SMS messages. It also asks for permission to install additional apps and steal data from Facebook Messenger, imo, Signal, Telegram, Viber, and WhatsApp.

According to Cyfirma, which discovered the most recent activity, the threat actor's methods are similar to those of the DoNot Team, a nation-state actor that was recently seen using rogue Android apps that were uploaded to the Play Store to infect people in Pakistan.

Android Trojan SpyNote.
Although the precise details of the social engineering component of the attack are unknown, Bahamut is well known for using fictitious personas on Facebook and Instagram to pose as journalists, students, activists, tech recruiters at major tech companies, and other people to trick unaware users into downloading malware on their devices.

According to information released by Meta in May 2023, "Bahamut used a variety of tactics to host and distribute malware, including running a network of malicious domains pretending to offer secure chat, file-sharing, connectivity services, or news applications.". "Some of them used spoofed versions of legitimate app stores, political parties, or local media outlets to make their links seem more trustworthy. ".


Board footer

Powered by FluxBB