A new version of the SpyNote Trojan is designed to trick Android users into thinking it’s a legitimate Netflix application.
Once installed, the remote access Trojan (RAT) essentially hands control of the device over to the hacker, enabling them to copy files, view contacts, and eavesdrop on the victim, among other capabilities.
The malware is a new twist on the SpyNote RAT, a Trojan first uncovered on the dark web last summer by Palo Alto Networks. The most recent iteration, a product of the SpyNote Trojan builder, mimics a Netflix app and was discovered recently by researchers with Zscaler’s ThreatLabZ.
Deepen Desai, Zscaler’s senior director of security research and operations, told Threatpost Tuesday that while researchers haven’t seen this particular RAT variant being spammed in the wild yet, they did see it on one of their threat feeds.
According to the firm, after opening the malicious app, the icon disappears from the home screen but gets to work contacting its command and control server. It also uninstalls any antivirus protections a user may have set up on the device, in hopes of evading detection.
Perhaps the malware’s most troubling capability, SpyNote allows the attacker to execute commands.
“Command execution can create havoc for victim if the malware developer decides to execute commands in the victim’s device. Leveraging this feature, the malware developer can root the device using a range of vulnerabilities, well-known or zero-day,” Shivang Desai, a researcher with the firm wrote Tuesday.
When it comes to surveillance, the RAT can take screen captures – and by taking advantage of the way the device handles audio – record conversations. According to researchers the malware hijacks the MediaProjection.Callback API, something first introduced in Android 5.0 Lollipop, to record audio. It saves the recorded content in a file, “video.mp4,” that can be sent back to the C2.
Like other RATs, this version of SpyNote can also steal SMS messages and contacts from infected devices and funnel them back to the C2. The malware steals the contacts and writes them as a local array before they’re exfiltrated, Desai said. It also, for good measure, collects the device’s location and sends that along to attackers.
While the RAT is sophisticated, there’s one catch, the firm claims. In order for the RAT to work, the infected device has to be connected to WiFi. That way it can transmit data and files to its C+C unfettered.
It’s likely not the last we’ll hear about SpyNote in 2017, the firm claims, adding that researchers there uncovered a handful of copycat apps built with the same SpyNote malware builder. Apps designed to mimic Instagram, WhatsApp, Facebook, Super Mario Run, and Pokemon Go are all making the rounds in the hacking community. So far this month they’ve already witnessed 120 different variants built with the tool.
Like the phony Netflix app, Desai told Threatpost while these apps aren’t in the wild quite yet, he knows the payloads are in development.
It’s unclear when attackers will begin to circulate these apps in earnest but the researchers are urging Android users to remain vigilant and only use apps downloaded through official app stores.
One way these illegitimate apps are spread is through third-party app stores. This past summer, in the early days of the Pokémon Go phenomenon, gamers eager to play the game were surprised with backdoored versions of the game. In its infancy the app was only available in the United States, meaning some users had to sideload APKs, often malicious, in order to play.
Researchers with Proofpoint observed one version rigged with a RAT dubbed DroidJack. While the app came bundled with a legitimate copy of the game, it also came with DroidJack, similar SpyNote, that let attackers view their victims WiFi connections, retrieve information on running apps, and change their network connectivity.
It’s the second attack this month based on tricking Netflix fans. Researchers uncovered a phishing campaign two weeks ago designed to dupe users into giving up their login information, credit card data and social security number.