Back to Research

Google

Malware

Spynote

Threat Intelligence

SpyNote Malware Part 2

Published on:

August 22, 2025

On This Page

Deceptive websites are mimicking popular Android application install pages on the Google Play Store to lure victims into downloading AndroidOS SpyNote malware, a potent Android RAT used for surveillance, data exfiltration, and remote control. This report highlights the resurfacing of SpyNote activity by the same actor in the previous DTI report in April and provides additional information around the recent activity and changes in tactics since the prior report. Notably, the actor made minor changes in IP resolutions and added additional anti-analysis in the APK dropper in an attempt to protect the SpyNote payload from detection.

Details

SpyNote is a highly intrusive Android Remote Access Trojan (RAT) with extensive capabilities for surveillance, data exfiltration, and device manipulation. It can remotely control a device’s camera and microphone, manage phone calls, and execute commands. Of particular concern is its keylogging functionality, which targets application credentials and abuses Android’s Accessibility Services to steal two-factor authentication (2FA) codes. Beyond data theft, SpyNote can also perform on-device actions like displaying overlay attacks for clickjacking. If granted administrator privileges, it gains the power to remotely wipe data, lock the device, or install additional malicious applications, making it a formidable threat for espionage and cybercrime.

The pages shown below are static clones, using HTML and CSS copied from the actual Google Play Store to appear legitimate. Their primary purpose is to trick users into downloading and installing an Android application package (.apk file). The “Install” button triggers a JavaScript function to download an .apk file directly from the malicious website.

Delivery Domain Registration and Website Patterns

Registrar

NameSilo, LLC
XinNet Technology Corporation

IP ISP:

Lightnode Limited
Vultr Holdings LLC

SSL Issuer:

Nameserver

dnsowl[.]com
xincache[.]com

Server Type:

nginx

Prominent IP Resolved:

154.90.58[.]26
199.247.6[.]61

Frequent HTML Code Inclusions

https[:]//unpkg[.]com/current-device@0.10.2/umd/current-device.min.js
“sBw2N8uateIzRr93vmFze5MF_35vMk5F1wG04L5JcJE”
“PJKdyVFC5jlu_l8Wo_hirJkhs1cmitmn44fgpOc3zFc”

Malware Delivery Website Review

The download() function is the core of the page’s malicious functionality.

It creates a hidden iframe and sets its source to a JavaScript URI that triggers a navigation to Chrome.apk. This is a common technique to initiate a file download from the browser without the user leaving the current page.

Malware Execution

1. Initial Dropper Decrypts Payload: The first APK reads encrypted assets, generates a key from its manifest, and decrypts the second-stage SpyNote payload.

The malware employs a dynamic payload technique to conceal its primary functions, loading them from a separate file only after the application is installed and running. This is achieved using a code injection method known as DEX Element Injection. The malware uses reflection to access and modify the app’s core ClassLoader at runtime, inserting its own malicious code elements at the very beginning of the code lookup path. This forces the Android system to prioritize and execute the malicious code over the app’s legitimate code, enabling it to bypass static security analysis and hijack application functions to intercept data.

The AndroidManifest file is protected and contains details needed to retrieve the AES decryption key from the Chrome.apk. In this case, the package name “rogcysibz.wbnyvkrn.sstjjs” is needed to retrieve the 16-byte AES key “62646632363164386461323836333631”.

Chrome.apk (Dropper)
48aa5f908fa612dcb38acf4005de72b9379f50c7e1bc43a4e64ce274bb7566e8

Classes.dex (SpyNote)
86e8d3716318e9bb63b86aebe185db5db6718cb3ddea7fbafefa8ebfb674b9e8

Decrypted 000 + 001 (SpyNote * its assets/base dex File containing its C2 configurations)
b81febd19a457e6814d7e28d68742ae25fc4cf6472289a481e262048e9d8eee4
703d62470d31866ccecb66f0083084c478e9e92916041216ec8d839afed0d0d6

Within the assets/base/ folder there are two files: 000 and 001. The dropper essentially works by joining the 000 and 001 files (combined_assets). It then decrypts the combined assets with the AES key before gzip decompresses it. The resulting file is the SpyNote APK, which it loads in. This happens once the user installs the dropper, runs it, and taps a prompt in the app’s load screen. The decrypted file is another APK that the dropper loads which contains the main SpyNote functionality and configuration details for the command-and-control server (C2).

2. SpyNote Payload Loads C2 Logic: The main SpyNote APK dynamically loads another DEX file from its own `assets/base` folder. This DEX file contains the actual C2 connection logic.

3. C2 Logic Establishes Connection: The dynamically loaded DEX file contains the code to build the WebSocket URL for the C2 server.

In previously reported configurations, the C2s were hardcoded directly in the functions for sending traffic. In recent samples, they use control flow obfuscation and identifier obfuscation through random variations of o, O, and 0 for all names in an attempt to make it difficult to understand the program’s logic through static analysis.

Sample identifier obfuscation in a loaded DEX file:

4. C2 Domain Selection Logic: A utility method selects a domain from a predefined list, making the malware more resilient.

5. Hardcoded C2 Domain List: The final destination is a simple class that acts as a container for the hardcoded C2 domains.

Threat Actor Analysis

The threat actor distributing SpyNote malware exhibits persistence and limited technical adaptability. They consistently use deceptive Google Play Store clones to lure victims, a social engineering tactic that remains central to their operations. Despite previous exposure, their infrastructure remains confined to two primary IP addresses, showing a restricted capacity for diversification, though they do rotate specific IP resolutions. The anti-analysis techniques used in their APK droppers are relatively simple, employing basic obfuscation and dynamic payload decryption to protect the SpyNote payload.

The APK filenames suggest the spoofed brands or applications fall into these categories:

Social & Dating Apps: iHappy, CamSoda, Kismia, yome, TmmTmm
Gaming Apps: 8 Ball Pool, Block Blast
General Utility/Productivity Apps: Chrome, meus arquivos 2025, Beauty, Faísca Inicial, Compras Online, LoveVideo, GlamLive, Holding Hands

This actor is suspected of broadly targeting consumers with lures mimicking popular applications, including those related to fashion, social networking, and general utilities, as well as ubiquitous apps like Chrome and Zoom. This wide net, coupled with the surveillance and data exfiltration capabilities of SpyNote, strongly suggests a financially motivated objective. While the delivery code contains Chinese language comments, the specific attribution for this persistent and opportunistic threat actor remains unknown.

Conclusion

This report details a persistent SpyNote malware campaign by an actor relying on deceptive Google Play Store clones for delivery. Key technique changes were the dynamic payload decryption and DEX element injection used by the initial dropper, which conceals SpyNote’s core functions and hijacks app behavior, and the control flow and identifier obfuscation applied to the C2 logic to hinder static analysis. The actor’s limited infrastructure adaptability and broad consumer targeting for financial gain highlight their opportunistic yet effective approach. This persistent activity underscores the ongoing threat of mobile RATs and the need for continuous vigilance against social engineering tactics, even from actors with limited technical sophistication.

Security Recommendations

To better protect consumers from threats like SpyNote, key players in the security ecosystem can enhance their defenses:

Browser Developers: Consider strengthening built-in malicious site warnings to automatically flag and block access to deceptive download pages such as fake Google Play Store sites. This helps users avoid suspicious sites entirely.

Android Antivirus Providers and Mobile OS Developers: Focus on advancing automated analysis of app downloads to quickly detect and prevent the installation of harmful software, even when it tries to hide. This provides a crucial layer of defense directly on the device.

Mobile VPN Providers: Explore integrating network-level security features that automatically filter out or alert to connections to known malicious servers. This adds another protective barrier, stopping threats before they can reach the user’s device.

IOCs

Malware Delivery

154.90.58[.]26
mcspa[.]top
pyfcf[.]top
atdfp[.]top
fkqed[.]top
mygta[.]top
fsckk[.]top
megha[.]top
pyane[.]top
bekmc[.]top
kasmc[.]top
fhkaw[.]top
hytsa[.]top
cfdta[.]top
fcewa[.]top
hekbb[.]top
spwtt[.]top
atubh[.]top
kshyq[.]top
ctdqa[.]top
kyhbc[.]top
gtuaw[.]top
snbyp[.]top
jewrs[.]top
pkdcp[.]top
byhga[.]top
bcgrt[.]top
kmyjh[.]top
https[:]//bcgrt[.]top/Beauty[.]apk
https[:]//cfdta[.]top/Fa%C3%ADscaInicial[.]apk
https[:]//kyhbc[.]top/002[.]apk
https[:]//megha[.]top/iHappy[.]apk
https[:]//jewrs[.]top/CamSoda[.]apk
https[:]//byhga[.]top/8%20Ball%20Pool[.]apk
https[:]//fhkaw[.]top/Kismia[.]apk
https[:]//fkqed[.]top/001[.]apk
https[:]//pkdcp[.]top/Fa%C3%ADscaInicial[.]apk
https[:]//spwtt[.]top/LoveVideo[.]apk
https[:]//mygta[.]top/Block%20Blast[.]apk
https[:]//pyane[.]top/Compras%20Online[.]apk
https[:]//pyfcf[.]top/001[.]apk
https[:]//gtuaw[.]top/Chrome[.]apk
https[:]//hytsa[.]top/Chrome[.]apk
https[:]//snbyp[.]top/meus%20arquivos%202025[.]apk
https[:]//atdfp[.]top/Holding%20Hands[.]apk
https[:]//kasmc[.]top/Fa%C3%ADscaInicial[.]apk
https[:]//ctdqa[.]top/003[.]apk
https[:]//kshyq[.]top/004[.]apk
https[:]//fsckk[.]top/yome[.]apk
https[:]//bekmc[.]top/TmmTmm[.]apk
https[:]//hekbb[.]top/GlamLive[.]apk
https[:]//kmyjh[.]top/001[.]apk
https[:]//atubh[.]top/Chrome[.]apk
https[:]//fcewa[.]top/Chrome[.]apk

‍

Droppers

db91da6b3e85d9c11255e50ef10e5636b1d5e5d9e417998daa22a58ae0b2c29f008160aa7dde3b25c4c576038e0bdfd5e9b03fbf458fa4a6f2ec024873d33c1c560a01f8ac823d031f941064e84c36376f3d37e46997bee773b2564ac58592e3f5369f99fce5d5e58ecff26134bb910244d0f70e56af5a5ec6ac1856c6c3a771ebe474f406f4588e0d59f1df2e482a0139c4bdbe1df9f30bb2a97c3244e023fadff83f2963415e34cf4cc45a05391a908e03a4f123e3d63caae006fecbd62e56d858ea1d137fc8ebac1ec0473b46da70f1900e88536d9ec022867ac229a3ea6cd2d3a2a69a0621c3f4618a09e897d86a96e82549a8711fe25743ed2c35dca87f9b9f2cb11b796f024dcac0f1c13cba09a4365d00aa0c7da5edb118df20d13c478500792f144260198d6d59a3adec1615ca26311ba0a593af42643141046b14635ca476403615ae8ec8c62c4aefdb1da60ce51a63281b003d8bc2d138f83e588b55291f9c2c9c7d2cb29455ea93e82688e218ef54d823b8c72ba09d9338e3c03b19487909541f035d35ef844e85fa6d7aa791597e82d7f7796469a6bc6d6b3bc24f2272abfae12c989eb0247085fc57640e588333a0c503eeb11a323d5f190736419afa34f38ce36226784b4cff034b1f31ef6047ac6ca73203a174ae554dc07240917eab11a3f60ad0de092ac12827c5760feb32bf795d25d9fc095ed08914983ff67dd91b6bcd655241a61bd2ec92de9a6e712ccf43d8d3c7830094dd60b09532945f0653f0c9182dc49c3c8bf6c791bdce40cf45eae67fc6b310a487f6fc0828ed0adb48c52c0ee7ffce6fecd53f15dc01e2d93d21b6457f92e20fd43a1e6d224bdd20279594a3925bf31602f8da2807d1cd4ca001a734f979f7ede52788582170751ec2cfc94e83d62e577f720c5ac48844f2a3d6b30c3411c3bf6d099bff1fd2df4967df64ac575c45d19bff506a380abcdeb0bf07a01b33821aa97f4a1af5e6d9878290060a6c7f9bde8720239398103615869db8731c32db55837db00e

‍

‍SpyNote

86e8d3716318e9bb63b86aebe185db5db6718cb3ddea7fbafefa8ebfb674b9e8f03e39ab4f75842b66958670e9b0672dfde4c2b0a7a5353e8c017d6a7819eee61a79b87f5c7c0fad73d6b661675036f2dd0870bf86e7f98cda783bcb71e50c24b81febd19a457e6814d7e28d68742ae25fc4cf6472289a481e262048e9d8eee4daac37b4eb63b0fc5f8b61ed1d4c7d65a29e8a7a90a89a40dec8411c4f9d81d1703d62470d31866ccecb66f0083084c478e9e92916041216ec8d839afed0d0d61467ecfb133fc161de04e5f64d06bf9c3c5613b95d455197c233f75d8fac093916bd6c30038b75fb69e07ed10c24994fc8307c58e7b9642f72be33308cce4daee85d0d457f3294caddf743039e95deea3b58104ba0a786aa68ae355765b9e22cd39ca965fe421974185f6aa4c88c037414a54091654c69ce5c1ffa190a7ad611f6be62ae0b3908119ea6bf124158681cd566e912b36b69c42d59ffbcff02fe3a6d459e4478a1eaba287473330ebcb892ad278b87da3ec2d2cbc0fb0899c462f823010eed33c74314fb8c7b1520228889d3ed69837b89902b39ee74c3fb8d8e90

‍

Command & Control

199.247.6[.]61
mskisdakw[.]top
fsdlaowaa[.]top
askkpl67[.]top
cnhau1wq[.]top
nhy58awn[.]top
sakjhu5588[.]top

‍

Shodan Hunting Queries

Tip: Look for fake Google Play Store sites or suspicious iframe JavaScript sources for file downloads.

http.html:"jscontroller=\pjICDe\""" http.html:""jsaction=\"rcuQ6b:npT2md;""
http.html:""sBw2N8uateIzRr93vmFze5MF_35vMk5F1wG04L5JcJE"" OR http.html:""PJKdyVFC5jlu_l8Wo_hirJkhs1cmitmn44fgpOc3zFc""
http.html:""VfPpkd-jY41G-V67aGc""
http.html:""iframe.src = \"javascript: '<script>location.href=\\\"""

‍

SpyNote Mobile ATT&CK Matrix

Capability	MITRE ATT&CK Mobile Technique	Technique ID
Stealing SMS messages	Collect SMS Messages	T1636.004
Accessing and exfiltrating contact list	Contact List	T1636.003
Reading call logs	Call Log	T1636.002
Tracking GPS location	Location Tracking	T1430
Accessing and potentially stealing files from external storage	Data from Local System	T1533
Extracting device information (IMEI, system specs)	Device Information Discovery	T1640
Monitoring network traffic	Network Traffic Monitoring	T1657
Stealing photos	Data from Local System	T1533
Activating the device's camera to capture photos or videos	Camera Capture	T1428
Recording audio from the device's microphone	Audio Capture	T1429
Making phone calls	Make Phone Call	T1646
Intercepting incoming phone calls and recording them	Call Recording	T1645
Providing a shell terminal for remote command execution	External Remote Services	T1132
Keylogging (recording keystrokes)	Input Capture	T1478
Targeting credentials for various applications (banking, social media)	Credentials in Files	T1555.004
Extracting two-factor authentication (2FA) codes	Credentials in Files	T1555.004
Displaying content over other applications (clickjacking)	Overlay Windows	T1641
Remotely wiping data	Data Destruction	T1485
Remotely locking the device	Device Lockout	T1486
Remotely resetting the device password	Reset Device Password	T1535
Downloading and installing new applications without user consent	Install Other Software	T1534
Self-updating	Update Software	T1539
Deleting collected data from the SD card	File Deletion	T1574
Detecting other installed applications	Installed Application List	T1518
Capturing screen content	Screen Capture	T1656
Targeting cryptocurrency accounts (stealing private keys, wallet info)	Credentials in Files	T1555.004
Injecting web links into web view modules within applications	Webview Injection	T1556
Hiding its application icon from the app launcher	Hide Icons	T1668
Automatically starting malicious services after device reboot	Event Triggered Execution: Broadcast Receivers	T1624.001
Implementing "diehard services" that are difficult to shut down	Persistence via System Application	T1520
Excluding itself from battery optimization settings	Disable or Modify System Configuration: Disable Battery Optimization	T1546.003
Displaying continuous silent notifications to maintain a persistent presence	Abuse of OS Features: Notifications	T1529
Monitoring system settings for attempts to remove the application and blocking them	Prevent Application Uninstall	T1547
Hijacking accessibility services to simulate user inputs to prevent uninstallation	Abuse of Accessibility Features	T1550
Automatically navigating back to the device's home screen when a user tries to access app settings	Application Manipulation	T1701

Reference: https://attack.mitre.org/matrices/mobile/

‍