Cybersecurity experts from F-Secure are warning Android users to be careful when downloading applications from third-party sources, as they could end up installing some nasty malware.
In their report, the researchers said that unnamed threat actors engaged in SMS phishing to try and deliver the SpyNote banking trojan to the victims. We don’t know who the attackers are, or if there is a specific cohort they’re targeting (for example, clients of a specific bank, or people living in specific geographies). It’s also impossible to determine exactly how many people were compromised.
But the analysts did dissect the banking trojan. SpyNote, as they found, comes with numerous information-stealing capabilities. It can access call logs, the camera, SMS messages, external storage, and can take screenshots, record video and audio. All of this works only if the victim grants the app accessibility permissions, which is the usual red flag and the best way to spot a malicious app.
Factory reset
When the user installs the app, it essentially disappears from the endpoint. Users can’t see it in the app drawer, in the “recent apps” menu, or anywhere else, for that matter. The attackers did this on purpose, to make it harder for the victims to uninstall the app. Even if they open the Settings tab and move to uninstall the app, the malware will shut the tab down, thanks to the accessibility permissions it was granted earlier.
It activates and starts stealing information after receiving the green light from the attackers. That can be either via an SMS message, or similar.
“The SpyNote malware app can be launched via an external trigger,” the researchers explained. “We created a minimalistic “Hello World”-style Android app, that only sends the necessary intent (an “intention” to perform an action). Upon receiving the intent, the malware app launches the main activity.”
The only way to remove the app, it seems, is to perform a factory reset of the device.
Via The Hacker News