Caught in the Act: Uncovering SpyNote in Unexpected Places
Essential information
- Published
- 20/06/2025 19:26
- Modified
- 23/06/2025 23:15
- Tags
- 2025-06-20 accessibility services android c2 infrastructure data exfiltration device administrator malicious apps open directories spynote spyware
- Related entities
- 2 observables, 2 others
Description
Multiple samples of SpyNote, a sophisticated Android spyware, were discovered in open directories, disguised as legitimate apps like Google Translate, Temp Mail, and Deutsche Postbank. The malware exploits accessibility services and device administrator privileges to steal sensitive information from infected devices. Samples were found on various servers, including AWS and SonderCloud Limited, with different command and control (C2) infrastructures. The discovery highlights the ongoing threat of SpyNote, especially after its source code leak in late 2022, and emphasizes the importance of proactive threat detection and analysis.