SpyNote Android Trojan Builder Leaked Is Now Widely Available On The Dark Web

Palo Alto Networks’ Unit 42 team recently discovered a new Android Trojan called SpyNote which facilitates remote spying.Unit 42 discovered the Trojan while monitoring malware discussion forums. 

SpyNote is similar to OmniRat and DroidJack, which are RATs (Remote Administration Tools) that allow malware owners to gain remote administrative control of an Android device.
Droidjack made news earlier this month when researchers at Proofpoint found a rigged version of the massively popular game Pokémon Go with the Trojan. OmniRat is similar in function and was first spotted in Germany in November by researchers who said targeted victims received a text message asking them to download an app to view an image.

The Trojan, found has not been spotted in any active campaigns but warn that attacks are forthcoming.

SpyNote has many features that includes the following:
  1.     No root access required
  2.     Install new APKs and update the malware
  3.     Copy files from device to computer
  4.     View all messages on the device
  5.     Listen to calls made on the device
  6.     List all the contacts on the device
  7.     Listen live or record audio from the device’s microphone
  8.     Gain control of the camera on the device
  9.     Get IMEI number, Wi-Fi MAC address, and cellphone carrier details
  10.     Get the device’s last GPS location
  11.     Make calls on the device

Upon installation, SpyNote will remove the application’s icon from the victim’s device.The SpyNote APK requires victims to accept and give SpyNote many permissions, including the ability to edit text messages, read call logs and contacts, or modify or delete the contents of the SD card.
Once installed, SpyNote is hard to get rid off.

 The SpyNote builder application is developed in .NET
The application is neither obfuscated nor protected with any Obfuscator or Protector.




The above video is a demo a user appears to be running SpyNote showing a remote takeover of an Android device.

Unit 42 Team States that, The uploader might be following the instructions described in YouTube videos on using SpyNote, considering the port number used is exactly the same as in the videos and the uploader only changes the icon of the APK file .
SpyNote is configured to communicate with a command and control server via IP address via TCP using hard-coded SERVER_IP and SERVER_PORT values. That has given researchers the ability to extract C2 information from the malware. 

 
Unit 42 asserts, Installing apps from third-party sources can be very risky — those sources often lack the governance provided by official sources such as the Google Play Store, which, even with detailed procedures and algorithms to weed out malicious applications, is not impregnable. Side-loading apps from questionable sources exposes users devices to a variety of malware and possible data loss.

Thus far we have not observed SpyNote used in active attacks but we suspect cyber criminals will begin using it as the building of SpyNote is freely available.