SpyNote is an Android remote access trojan (RAT) that was leaked on malware discussion forums in mid-2016. It is similar to Android RATs OmniRAT and DroidJack. SpyNote has the ability to update itself, download and install new apps, view SMS messages, access the phone's last GPS location, listen to and record audio from the device's microphone, access the video camera, listen to calls, make calls, retrieve contact lists, and access technical details such as the device IMEI number, WiFi MAC address, and carrier details.

This trojan gains some of these capabilities by requesting extensive and intrusive permissions as a user installs the app onto the device. Once installed, the application icon is removed from the victim's device. SpyNote is unique as it does not need root access to the device in order to obtain these capabilities. SpyNote version 2 allows users to build their own version of the RAT that can communicate with C2 servers configured during the building process. Though SpyNote has not yet been seen in active attacks, Palo Alto Networks expects cybercriminals to begin using it since the builder for SpyNote is freely available.

Reporting

• January 2017: The trojan is infecting victims by hiding inside a fake Netflix app, using the company’s official logo as its icon. (Zscaler)

Technical Details

• Palo Alto Networks provides technical details on the SpyNote RAT, available here.