Various European customers of various banks are being targeted by an Android banking trojan called Spynote as part of an offensive campaign detected in June and July 2023.
“Spyware is distributed through email phishing or smishing campaigns and fraudulent activities are executed with a combination of Remote Access Trojan (RAT) capabilities and Vishing attacks,” Italian cyber security firm Clefi said in a technical analysis released on Monday.”
Spynote, also known as SpyMax, is similar to other Android banking Trojans in that it requires Android’s accessibility permissions in order to grant itself other necessary permissions and collect sensitive data from infected devices. What makes this malware strain remarkable is its dual function as spyware and bank fraudster.
The attack chain begins with a spoofed SMS message urging users to install a banking app by clicking on the attached link, thereby redirecting the victim to the legitimate TeamViewer QuickSupport app available on the Google Play Store.
“Teamviewer has been adopted by many [threat actors] to carry out fraudulent operations through social engineering attacks,” said security researcher Francesco Iubatti. “Specifically, the attacker calls the victim posing as a bank operator, and conducts fraudulent transactions directly on the victim’s device.”
The idea is to use Teamviewer as a means to gain remote access to a victim’s phone and silently install malware. The different types of information collected by SpyNote include geolocation data, keystrokes, screen recordings, and SMS messages to bypass SMS-based two-factor authentication (2FA).
The revelation comes as the hack-for-hire operation known as Bahamut is linked to a new campaign that targets individuals in the Middle East and South Asia regions to install a dummy chat app called SafeChat . Which hides Android malware called CoverIM.
Distributed to victims via WhatsApp, the app has features similar to Spynote, collecting call logs, contacts, files, locations, SMS messages, as well as accessing permissions to install additional apps and steal data from Facebook Messenger, Signal, Telegram, Viber, imo and WhatsApp.
Cyfirma, which disclosed the latest activity, said that the tactics adopted by this threat actor overlap with those of another nation-state actor known as the DoNot Team, which has recently been reported to be based in Pakistan. Rogue Android apps published on the Play Store were observed to be used to infect individuals.
While the exact specifics of the social engineering aspect of the attack are unclear, Bahamut is known to rely on fictitious personas on Facebook and Instagram pretending to be tech recruiters at large tech companies, journalists, students and activists in order to unwittingly Users can be prompted to download malware on their devices.
Meta revealed in May 2023, “Bahamut used a number of tactics to host and distribute the malware, including running a network of malicious domains offering secure chat, file-sharing, connectivity services or news applications.” Domains from regional media outlets, political organizations or legitimate app stores are likely to make their links more legitimate.”