An espionage trojan called SpyNote RAT has been found masquerading as the popular Netflix app, to trick Android users into downloading it. It then sets about constantly eavesdropping on user activity.
Zscaler’s ThreatlabZ said that once installed, the malware is capable of activating the device’s microphone and listening to live conversations; uninstalling antivirus software; copying files from the device to the hacker’s server; recording screen captures; viewing contacts; reading SMS messages; and gaining remote control of the device.
To the latter point, command execution can create havoc for victim if the malware developer decides to execute commands in the victim’s device. Leveraging this feature, the malware developer can root the device using a range of vulnerabilities, well-known or zero-day.
“The spyware in this analysis was portraying itself as the Netflix app. Once installed, it displayed the icon found in the actual Netflix app on Google Play,” researchers explained, in an analysis. “As soon as the user clicks the spyware’s icon for the first time, nothing seems to happen and the icon disappears from the home screen. This is a common trick played by malware developers, making the user think the app may have been removed. But, behind the scenes, the malware has not been removed; instead it starts preparing its onslaught of attacks.”
SpyNote RAT also uses an unusual trick to make sure that it remains up and running and that the spying does not stop. It uses something called BootComplete, which is a broadcast receiver—an Android component that can register itself for a particular event. In this case, whenever the device is booted, BootComplete gets triggered. BootComplete then starts the AutoStartup service, which can perform long-running operations in the background and does not need a user interface. And then the AutoStartup service makes sure that the RAT’s core functionality is always running.
The team also found several other fake apps developed using the SpyNote builder, including faux versions of Whatsapp, YouTube Video Downloader, Google Update, Instagram, AirDroid, Faceboo, Photoshop, SkyTV, Hotstar, Trump Dash and PokemonGo.
Overall, in just the first two weeks of 2017, there have been more than 120 such spyware variants already built using the same SpyNote Trojan builder as SpyNote RAT and roaming in the wild, the researchers noted.
“The days when one needed in-depth coding knowledge to develop malware are long gone,” they said. “Nowadays, script kiddies can build a piece of malware that can create real havoc. Moreover, there are many toolkits like the SpyNote Trojan builder that enable users to build malware with ease and few clicks. Because mobile devices are everywhere, malware is everywhere, too. That’s why Zscaler advises all mobile users to take precautions when downloading anything to their devices, including apps.”
In particular, users should avoid side-loading apps from third-party app stores and avoid the temptation to download and play games that are not yet officially available on Android.