A prolific and powerful form of Android malware has switched its attention to online banking applications, using abilities including keylogging to steal usernames and passwords for bank accounts, social media profiles and more.
Detailed by researchers at cybersecurity company ThreatFabric, the Android malware is part of the SpyNote family, a form of trojan spyware which has been active since 2016 and provides cyber attackers with the ability to secretly spy on and modify user's activity on Android smartphones.
The newest SpyNote variant has been active since late 2021, sold to cyber criminals under the name CypherRat. The source code was made available online in October 2022 and since then researchers have detected a steep rise in CypherRat samples and campaigns.
Since the source code was published online, there's been a dramatic increase in the number SpyNote attacks which appear to be specifically targeting online banking applications and financial details.
These SpyNote campaigns involve the malware posing as legitimate banking applications including HSBC, Deutsche Bank, Kotak Bank, BurlaNubank, as well as popular Android applications like WhatsApp, Facebook, and Google Play.
These fake applications are typically distributed through phishing campaigns which direct potential victims to websites which trick them into downloading a fake version of an application, one which infects their Android phone with SpyNote malware – and the campaign appears to be working.
"The volume of samples that we see, which is in the order of hundreds per week since October 2022, indicates that actors are finding some success in this operation," Lasha Khasaia, Android malware reverse engineer at ThreatFabric told ZDNET.
Also: Cybersecurity: These are the new things to worry about in 2023
After installation, the malware gains permissions to use accessibility services and device administration privileges – which ultimately provide it with secret control over the device while also making it difficult for users to uninstall the application.
The key goal of this incarnation of SpyNote is stealing banking credentials, which it does by using presenting a bogus login page for the bank and using a keylogger to secretly spy on usernames and passwords entered. The malware also exploits accessibility functions to extract multi-factor authentication codes.
The malware can also be used to track SMS messages, calls, videos, and audio recordings in addition to updating its version and even installing new applications, along with the ability to track the location of the device.
Researchers note that while these tools aren't necessarily connected to banking fraud, they can provide attackers with additional information about the victim, which they could exploit to commit additional fraud or sell on.
And it's likely that the malware will continue to be a threat to Android users, due to the code behind it being available for free - so there's the potential that new variants could emerge.
With smartphones such an important part of our lives, they're a big target for cyber criminals who can gain access to bank details, usernames, passwords and all manner of sensitive information if they successfully compromise a device.
In the case of the latest SpyNote campaign, the way the malware is distributed via third-party sites mean you can try to avoid it by ensuring that they only download applications from official sources, like the Google Play Store.
"Google Play Protect checks Android devices with Google Play Services for potentially harmful apps from other sources. Users are protected by Google Play Protect, which can warn users or block identified malicious apps on Android devices," a Google spokesperson told ZDNET.
You should also be wary of any unexpected emails which claim to be from your bank, especially if they ask you to login or download and application – this could be part of a phishing attack and the message should be deleted.
If you're still unsure if the message is real or not, you can check to see if you bank account really does have any alerts by logging into your account – not via any link in the email, but from the legitimate website.
MORE ON CYBERSECURITY