Android SpyNote Malware Utilizes False Volcano Eruption Warnings for Distribution

The SpyNote Android malware, named ‘SpyNote,’ has been identified in attacks focused on Italy, where it exploits a counterfeit ‘IT-alert’ public warning system to infect users with a data-stealing malware.

The ‘IT-alert’ service is a legitimate emergency notification service managed by the Italian government’s Department of Civil Protection. It is designed to provide crucial alerts and guidance to the public during potential or ongoing disasters such as wildfires, floods, earthquakes, and more.

Researchers were the first to detect the bogus IT-alert website, which issues a false warning about an imminent volcanic eruption, urging visitors to install a related app for staying informed.

If a user attempts to download the app on an iOS device, they are redirected to the genuine IT-alert site. However, Android users who try to download the app directly are provided with ‘IT-Alert.apk.’

This APK file installs the SpyNote malware on the Android device, granting it the authority to utilize Accessibility services, allowing attackers to carry out a variety of invasive actions on the compromised device.

SpyNote is also capable of launching overlay injection attacks, which are used to steal user credentials when the victim opens banking, cryptocurrency wallet, and social media apps.

Among the documented functionalities of this malware are camera recording, GPS and network location tracking, standard keylogging, screenshot capture, phone call recording, and the targeting of Google and Facebook accounts.

The SpyNote Android malware was initially identified in 2022 and has since evolved into its third major version, which is available to cybercriminals through the messaging app Telegram.

In January 2023, a report from ThreatFabric warned of a surge in SpyNote detections after the source code of one of its variants, known as ‘CypherRat,’ was leaked.

Some individuals who acquired this leaked source code developed customized versions to target specific banks, while others disguised it as Google’s Play Store, Play Protect, WhatsApp, and Facebook.

A recent report highlights the growing significance of SpyNote, providing a comprehensive analysis of its features and capabilities.

To protect against such threats, it is crucial to avoid downloading and installing APKs from sources outside the official Google Play Store unless you have complete trust in the publisher.