Researchers at the cybersecurity firm ThreatFabric have described the virus that belongs to the SpyNote family as a type of trojan spyware that has been active since 2016 and allows cybercriminals to monitor and alter users' activities on Android smartphones without being detected.
The newest SpyNote edition, marketed to online criminals as CypherRat, has been operational since late 2021. However, after the source code was published online in October 2022, researchers saw a sharp increase in CypherRat samples and campaigns.
Some famous institutions impersonated by this ransomware include HSBC U.K., Deutsche Bank, Kotak Mahindra Bank, and Nubank.
The feature-rich SpyNote malware can install arbitrary apps, collect SMS messages, calls, videos, and audio recordings, monitor GPS positions, and even prevent attempts to delete the app.
Additionally, it mimics the behavior of other banking malware by requesting access to services in order to extract two-factor authentication (2FA) tokens from Google Authenticator. The malware also records keystrokes in order to steal banking credentials.
The most recent version of SpyNote, known as SpyNote.C, also includes features for stealing Facebook and Gmail passwords and capturing screen information using Android's MediaProjection API. Experts say this is the first variant to affect banking applications and other well-known apps like Facebook and WhatsApp.
SpyNote.C has also been known to impersonate the official Google Play Store service and other generic programs covering the wallpaper, productivity, and gaming categories.
According to estimates, between August 2021 and October 2022, 87 unique consumers bought SpyNote.C after its developer, CypherRat, promoted it through a Telegram channel. However, a dramatic rise in the number of samples was seen when CypherRat became open source in October 2022, indicating that other criminal organizations are using the malware for their operations.