Threat actors are constantly using new tricks and tactics to target users across the globe. This blog is about SpyNote, an Android RAT targeting Indian Defense personnel. The initial attack vector information was found on the newindianexpress website.
Let’s now get into the details of how this SpyNote works.
This RAT is propagated via WhatsApp with the name “CSO_SO on Deputation DRDO. apk“.
Once the user falls prey to this RAT and installs this malicious “CSO_SO on Deputation DRDO. apk”, this app pretends to be the genuine Adobe reader icon in the device app drawer as shown in Figure 1.
Upon launching , this application opens a Google Drive URL that is hardcoded in the app’s “strings.xml” file and displays the images as shown in Figure 2. Google Drive URL hardcoded in the app’s “strings.xml” file as shown in Figure 3.
Figure 4 shows that this malware refers to services in the AndroidManifest.xml file but not defined in the classes.dex in the APK’s root folder. This indicates that the services’ classes or another dex containing the classes would be loaded in memory at run-time using any one of the dynamic loading techniques.
SpyNote sample which we analyzed employs the technique of using the “base application context” to the class “com.android.protector.ProtectApplication” as shown in Figure 5.
Hence, when the application’s launcher activity is triggered, “attachbasecontext” function from the class “com.android.protector.ProtectApplication” is executed and the other classes.dex (carried within the APK) are loaded and functions in those classes.dex files are invoked using reflection and MultiDex support as shown in Figure 6 and 7.
Looking at the logcat at runtime, with MultiDex support, secondary dex files are loaded as base.apk.classes1.zip and converted as executable ‘base.apk.classes1.odex’ as shown in Figure 8.
Analyzing the Payload
The payload file base.apk.classes1.zip as shown in Figure 9 has the references to services’ classes declared in the AndroidManifest.xml.
This malware collects location information like altitude, latitude, longitude, precision and even the speed at which the device is moving as shown in Figure 10.
SpyNote then proceeds to combine all the aforementioned data and compresses (using gZIPOutputStream API) them before forwarding it to the C2 server as shown in Figure 11.
This RAT contacts the C2 server at IP 213.136.80[.]208, which is hardcoded in the “strings.xml” file (refer Figure 3). Figure 12 shows the connection established with the C2.
After the connection is established, the malware sends the gzip compressed data to the C2 as evident from the network packet’s header in Figure 13.
The decompressed content of the data is shown below in Figure 14.
Decode packets from the C2
The C2 responds by sending a series of compressed data, which when decompressed, is revealed to be system commands and the related APK payload as shown in Figure 15. In our case, the APK was extracted using Cyberchef.
We analyzed the C&C command ‘info’ and the associated APK. This command collects the clipboard data and verifies the victims’ device for the presence of a hardcoded list of mobile security products, may be with the aim of disabling them or forwarding the info to the C2.
The structure of the commands sent from the C2 to victims’ device is as follows:
At K7, we protect all our customers from such threats. Do ensure that you protect your mobile devices with a reputable security product like K7 Mobile Security and also regularly update and scan your devices with it. Also keep your devices updated and patched against the latest vulnerabilities.
Indicators of Compromise (IoC)
|Package Name||Hash||K7 Detection Name|
|com.editorpdf.acrobat||F115C634016A9199054358515C19B40B||Trojan ( 005652621 )|
|Defense Evasion||Application DiscoveryObfuscated Files or Information, Virtualization/Sandbox Evasion|
|Discovery||Security Software Discovery, System Information Discovery|
|Collection||Email Collection, Data from Local System|
|Command and Control||Encrypted Channel, NonStandard Port|