Cybersecurity experts at F-Secure warn Android users to be careful when downloading applications from third-party sources as they may end up installing nasty malware.
In their report, the researchers state that unnamed threat actors are engaging in SMS phishing to attempt to deliver the SpyNote banking trojan to victims. We don’t know who the attackers are or if there is a specific cohort they are targeting (for example, customers of a specific bank or people living in specific regions). It is also impossible to determine exactly how many people have been compromised.
But the analysts did dissect the banking Trojan. SpyNote, as they discovered, comes with numerous opportunities for stealing information. It can access call logs, the camera, text messages, external storage and can take screenshots and record video and audio. All this only works if the victim grants the app accessibility permissions, which is the usual red flag and the best way to spot a malicious app.
Factory settings
When the user installs the app, it essentially disappears from the endpoint. Users won’t be able to see it in the app drawer, recent apps menu, or anywhere else, for that matter. The attackers did this on purpose to make it more difficult for victims to delete the app. Even if they open the Settings tab and uninstall the app, the malware closes the tab, thanks to the accessibility permissions previously granted.
It activates and starts stealing information after receiving the green light from the attackers. This can be done via a text message or something similar.
“The SpyNote malware app can be launched via an external trigger,” the researchers explain. “We created a minimalist ‘Hello World’ style Android app, which sends only the necessary intent (an ‘intent’ to perform an action). After receiving the intent, the malware app launches the main activity.”
The only way to uninstall the app, it seems, is to reset the device to factory settings.
Through The hacker news