Insights, news, education and announcements from PolySwarm

SpyNote Targets Utility Company Customers

Written by The Hivemind | Aug 4, 2023 6:38:03 PM

Verticals Targeted: Utilities, Energy, Water, Critical Infrastructure

Executive Summary

SpyNote, an Android spyware, was used to target utility company customers in Japan. SpyNote leverages accessibility services and device administrator privileges, allowing it to steal device and user information, including contacts, SMS messages, phone calls, and location data.

Key Takeaways

  • SpyNote, an Android spyware, was used to target utility company customers in Japan. 
  • SpyNote leverages accessibility services and device administrator privileges. 
  • It steals device and user information, including contacts, SMS messages, phone calls, and location data. 

What is SpyNote?

McAfee recently reported on a smishing campaign leveraging SpyNote to target utility company customers in Japan. SpyNote is a remotely controlled Android spyware. While SpyNote has been in the wild for quite some time, activity leveraging this malware has increased since its source code was leaked in late 2022. Earlier this year, SpyNote was observed being used to target financial institutions.

The utility-focused campaign leveraged SMS message alerts masquerading as official alerts from a power or water infrastructure company, claiming account payment issues and suspension of service. The messages lured victims to a phishing website, which started downloading the malware and displayed an installation confirmation dialog.

SpyNote uses an app icon that appears to be a legitimate app, so victims are less likely to be suspicious of it. When the victim launches the app, a fake settings screen appears, tricking the victim into enabling the Accessibility feature. Once Accessibility is enabled, SpyNote disables battery optimization so it can run in the background unnoticed. It also grants unknown source installation permission for follow-on payloads without the victim’s permission.

SpyNotes’s capabilities include stealing device and user information, such as contacts, SMS messages, 2FA, phone calls, social media account information, and location data.

IOCs

PolySwarm has multiple samples of SpyNote.

 

075909870a3d16a194e084fbe7a98d2da07c8317fcbfe1f25e5478e585be1954

e2c7d2acb56be38c19980e6e2c91b00a958c93adb37cb19d65400d9912e6333f

a532c43202c98f6b37489fb019ebe166ad5f32de5e9b395b3fc41404bf60d734

a6f9fa36701be31597ad10e1cec51ebf855644b090ed42ed57316c2f0b57ea3c

755585571f47cd71df72af0fad880db5a4d443dacd5ace9cc6ed7a931cb9c21d

2352887e3fc1e9070850115243fad85c6f1b367d9e645ad8fc7ba28192d6fb85

513dbe3ff2b4e8caf3a8040f3412620a3627c74a7a79cce7d9fab5e3d08b447b

acd36f7e896e3e3806114d397240bd7431fcef9d7f0b268a4e889161e51d802b

91e2f316871704ad7ef1ec74c84e3e4e41f557269453351771223496d5de594e

 

You can use the following CLI command to search for all SpyNote samples in our portal:

$ polyswarm link list -f SpyNote

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports