SpyNote Spyware Targets European Bank Users

In a wave of cyber attacks that have sent shockwaves through the European banking sector, users of multiple financial institutions have fallen victim to the insidious SpyNote Android spyware. The notorious malware, traditionally known for espionage and data collection, has recently been repurposed by hackers to execute bank fraud on a massive scale.

Cleafy Threat Intelligence Team first detected the aggressive campaign on users of financial institutions in June and July of this year. SpyNote, also known as SpyMax, leverages social engineering and Android's accessibility permissions to exploit users and gain control over their devices.

The attack chain typically commences with a deceptive smishing campaign. Unsuspecting victims receive fake SMS messages enticing them to install a new certified banking app. Once the user clicks on the accompanying link, they are redirected to the legitimate TeamViewer QuickSupport app on the Google Play Store for “technical support”. This app is then exploited by the hackers to gain remote access to the user’s device for the purpose of installing SpyNote.

With full control established, SpyNote springs into action, capturing sensitive data through various means. The malware employs keylogging techniques to record user activities, collects SMS messages, gain access to GPS locations, and more. Of particular concern is the malware's capability to intercept two-factor authentication (2FA) codes, effectively bypassing the security measures implemented by banks.

SpyNote utilizes defense evasion techniques, such as code obfuscation and anti-emulator controls, complicate analysis. Additionally, the malware conceals its presence on the infected devices by hiding its application icon and preventing manual removal via settings.

The aggressive nature of the SpyNote campaign raises severe concerns for European banking customers. The malware's dual functionality as spyware and a tool for bank fraud make it a potent threat, capable of inflicting severe financial losses and privacy violations.

Cleafy warns that threat actors will likely continue exploiting SpyNote's multiple functionalities in future attacks. As such, financial institutions and users must remain vigilant against phishing attacks and proactively update their security measures to defend against these evolving threats.