Deceptive websites are mimicking popular Android application install pages on the Google Play Store to lure victims into downloading AndroidOS SpyNote malware, a potent Android RAT used for surveillance, data exfiltration, and remote control. This report highlights the resurfacing of SpyNote activity by the same actor in the previous DTI report in April and provides additional information around the recent activity and changes in tactics since the prior report. Notably, the actor made minor changes in IP resolutions and added additional anti-analysis in the APK dropper in an attempt to protect the SpyNote payload from detection.

Details

SpyNote is a highly intrusive Android Remote Access Trojan (RAT) with extensive capabilities for surveillance, data exfiltration, and device manipulation. It can remotely control a device’s camera and microphone, manage phone calls, and execute commands. Of particular concern is its keylogging functionality, which targets application credentials and abuses Android’s Accessibility Services to steal two-factor authentication (2FA) codes. Beyond data theft, SpyNote can also perform on-device actions like displaying overlay attacks for clickjacking. If granted administrator privileges, it gains the power to remotely wipe data, lock the device, or install additional malicious applications, making it a formidable threat for espionage and cybercrime.

The pages shown below are static clones, using HTML and CSS copied from the actual Google Play Store to appear legitimate. Their primary purpose is to trick users into downloading and installing an Android application package (.apk file). The “Install” button triggers a JavaScript function to download an .apk file directly from the malicious website.

Delivery Domain Registration and Website Patterns

Registrar

• NameSilo, LLC
• XinNet Technology Corporation

IP ISP: 

• Lightnode Limited
• Vultr Holdings LLC

SSL Issuer:

• R10
• R11

Nameserver

• dnsowl[.]com
• xincache[.]com

Server Type:

• nginx

Prominent IP Resolved:

• 154.90.58[.]26
• 199.247.6[.]61

Frequent HTML Code Inclusions

• https[:]//unpkg[.]com/[email protected]/umd/current-device.min.js
• “sBw2N8uateIzRr93vmFze5MF_35vMk5F1wG04L5JcJE”
• “PJKdyVFC5jlu_l8Wo_hirJkhs1cmitmn44fgpOc3zFc”

Malware Delivery Website Review

The download() function is the core of the page’s malicious functionality.

It creates a hidden iframe and sets its source to a JavaScript URI that triggers a navigation to Chrome.apk. This is a common technique to initiate a file download from the browser without the user leaving the current page.

Malware Execution

1. Initial Dropper Decrypts Payload: The first APK reads encrypted assets, generates a key from its manifest, and decrypts the second-stage SpyNote payload.

The malware employs a dynamic payload technique to conceal its primary functions, loading them from a separate file only after the application is installed and running. This is achieved using a code injection method known as DEX Element Injection. The malware uses reflection to access and modify the app’s core ClassLoader at runtime, inserting its own malicious code elements at the very beginning of the code lookup path. This forces the Android system to prioritize and execute the malicious code over the app’s legitimate code, enabling it to bypass static security analysis and hijack application functions to intercept data.

The AndroidManifest file is protected and contains details needed to retrieve the AES decryption key from the Chrome.apk. In this case, the package name “rogcysibz.wbnyvkrn.sstjjs” is needed to retrieve the 16-byte AES key “62646632363164386461323836333631”. 

Chrome.apk (Dropper)
48aa5f908fa612dcb38acf4005de72b9379f50c7e1bc43a4e64ce274bb7566e8

Classes.dex (SpyNote)
86e8d3716318e9bb63b86aebe185db5db6718cb3ddea7fbafefa8ebfb674b9e8

Decrypted 000 + 001 (SpyNote * its assets/base dex File containing its C2 configurations)
b81febd19a457e6814d7e28d68742ae25fc4cf6472289a481e262048e9d8eee4
703d62470d31866ccecb66f0083084c478e9e92916041216ec8d839afed0d0d6

Within the assets/base/ folder there are two files: 000 and 001. The dropper essentially works by joining the 000 and 001 files (combined_assets). It then decrypts the combined assets with the AES key before gzip decompresses it. The resulting file is the SpyNote APK, which it loads in. This happens once the user installs the dropper, runs it, and taps a prompt in the app’s load screen. The decrypted file is another APK that the dropper loads which contains the main SpyNote functionality and configuration details for the command-and-control server (C2). 

2. SpyNote Payload Loads C2 Logic: The main SpyNote APK dynamically loads another DEX file from its own `assets/base` folder. This DEX file contains the actual C2 connection logic.

3. C2 Logic Establishes Connection: The dynamically loaded DEX file contains the code to build the WebSocket URL for the C2 server.

In previously reported configurations, the C2s were hardcoded directly in the functions for sending traffic. In recent samples, they use control flow obfuscation and identifier obfuscation through random variations of o, O, and 0 for all names in an attempt to make it difficult to understand the program’s logic through static analysis.

Sample identifier obfuscation in a loaded DEX file:

4. C2 Domain Selection Logic: A utility method selects a domain from a predefined list, making the malware more resilient.

5. Hardcoded C2 Domain List: The final destination is a simple class that acts as a container for the hardcoded C2 domains.

Threat Actor Analysis

The threat actor distributing SpyNote malware exhibits persistence and limited technical adaptability. They consistently use deceptive Google Play Store clones to lure victims, a social engineering tactic that remains central to their operations. Despite previous exposure, their infrastructure remains confined to two primary IP addresses, showing a restricted capacity for diversification, though they do rotate specific IP resolutions. The anti-analysis techniques used in their APK droppers are relatively simple, employing basic obfuscation and dynamic payload decryption to protect the SpyNote payload.

The APK filenames suggest the spoofed brands or applications fall into these categories:

• Social & Dating Apps: iHappy, CamSoda, Kismia, yome, TmmTmm
• Gaming Apps: 8 Ball Pool, Block Blast
• General Utility/Productivity Apps: Chrome, meus arquivos 2025, Beauty, Faísca Inicial, Compras Online, LoveVideo, GlamLive, Holding Hands

This actor is suspected of broadly targeting consumers with lures mimicking popular applications, including those related to fashion, social networking, and general utilities, as well as ubiquitous apps like Chrome and Zoom. This wide net, coupled with the surveillance and data exfiltration capabilities of SpyNote, strongly suggests a financially motivated objective. While the delivery code contains Chinese language comments, the specific attribution for this persistent and opportunistic threat actor remains unknown.

Conclusion

This report details a persistent SpyNote malware campaign by an actor relying on deceptive Google Play Store clones for delivery. Key technique changes were the dynamic payload decryption and DEX element injection used by the initial dropper, which conceals SpyNote’s core functions and hijacks app behavior, and the control flow and identifier obfuscation applied to the C2 logic to hinder static analysis. The actor’s limited infrastructure adaptability and broad consumer targeting for financial gain highlight their opportunistic yet effective approach. This persistent activity underscores the ongoing threat of mobile RATs and the need for continuous vigilance against social engineering tactics, even from actors with limited technical sophistication.

Security Recommendations

To better protect consumers from threats like SpyNote, key players in the security ecosystem can enhance their defenses:

Browser Developers: Consider strengthening built-in malicious site warnings to automatically flag and block access to deceptive download pages such as fake Google Play Store sites. This helps users avoid suspicious sites entirely.

Android Antivirus Providers and Mobile OS Developers: Focus on advancing automated analysis of app downloads to quickly detect and prevent the installation of harmful software, even when it tries to hide. This provides a crucial layer of defense directly on the device.

Mobile VPN Providers: Explore integrating network-level security features that automatically filter out or alert to connections to known malicious servers. This adds another protective barrier, stopping threats before they can reach the user’s device.

IOCs

Malware Delivery

154.90.58[.]26 mcspa[.]top pyfcf[.]top atdfp[.]top fkqed[.]top mygta[.]top fsckk[.]top megha[.]top pyane[.]top bekmc[.]top kasmc[.]top fhkaw[.]top hytsa[.]top cfdta[.]top fcewa[.]top hekbb[.]top spwtt[.]top atubh[.]top kshyq[.]top ctdqa[.]top kyhbc[.]top gtuaw[.]top snbyp[.]top jewrs[.]top pkdcp[.]top byhga[.]top bcgrt[.]top kmyjh[.]top https[:]//bcgrt[.]top/Beauty[.]apk https[:]//cfdta[.]top/Fa%C3%ADscaInicial[.]apk https[:]//kyhbc[.]top/002[.]apk https[:]//megha[.]top/iHappy[.]apk https[:]//jewrs[.]top/CamSoda[.]apk https[:]//byhga[.]top/8%20Ball%20Pool[.]apk https[:]//fhkaw[.]top/Kismia[.]apk https[:]//fkqed[.]top/001[.]apk https[:]//pkdcp[.]top/Fa%C3%ADscaInicial[.]apk https[:]//spwtt[.]top/LoveVideo[.]apk https[:]//mygta[.]top/Block%20Blast[.]apk https[:]//pyane[.]top/Compras%20Online[.]apk https[:]//pyfcf[.]top/001[.]apk https[:]//gtuaw[.]top/Chrome[.]apk https[:]//hytsa[.]top/Chrome[.]apk https[:]//snbyp[.]top/meus%20arquivos%202025[.]apk https[:]//atdfp[.]top/Holding%20Hands[.]apk https[:]//kasmc[.]top/Fa%C3%ADscaInicial[.]apk https[:]//ctdqa[.]top/003[.]apk https[:]//kshyq[.]top/004[.]apk https[:]//fsckk[.]top/yome[.]apk https[:]//bekmc[.]top/TmmTmm[.]apk https[:]//hekbb[.]top/GlamLive[.]apk https[:]//kmyjh[.]top/001[.]apk https[:]//atubh[.]top/Chrome[.]apk https[:]//fcewa[.]top/Chrome[.]apk

Droppers

db91da6b3e85d9c11255e50ef10e5636b1d5e5d9e417998daa22a58ae0b2c29f008160aa7dde3b25c4c576038e0bdfd5e9b03fbf458fa4a6f2ec024873d33c1c560a01f8ac823d031f941064e84c36376f3d37e46997bee773b2564ac58592e3f5369f99fce5d5e58ecff26134bb910244d0f70e56af5a5ec6ac1856c6c3a771ebe474f406f4588e0d59f1df2e482a0139c4bdbe1df9f30bb2a97c3244e023fadff83f2963415e34cf4cc45a05391a908e03a4f123e3d63caae006fecbd62e56d858ea1d137fc8ebac1ec0473b46da70f1900e88536d9ec022867ac229a3ea6cd2d3a2a69a0621c3f4618a09e897d86a96e82549a8711fe25743ed2c35dca87f9b9f2cb11b796f024dcac0f1c13cba09a4365d00aa0c7da5edb118df20d13c478500792f144260198d6d59a3adec1615ca26311ba0a593af42643141046b14635ca476403615ae8ec8c62c4aefdb1da60ce51a63281b003d8bc2d138f83e588b55291f9c2c9c7d2cb29455ea93e82688e218ef54d823b8c72ba09d9338e3c03b19487909541f035d35ef844e85fa6d7aa791597e82d7f7796469a6bc6d6b3bc24f2272abfae12c989eb0247085fc57640e588333a0c503eeb11a323d5f190736419afa34f38ce36226784b4cff034b1f31ef6047ac6ca73203a174ae554dc07240917eab11a3f60ad0de092ac12827c5760feb32bf795d25d9fc095ed08914983ff67dd91b6bcd655241a61bd2ec92de9a6e712ccf43d8d3c7830094dd60b09532945f0653f0c9182dc49c3c8bf6c791bdce40cf45eae67fc6b310a487f6fc0828ed0adb48c52c0ee7ffce6fecd53f15dc01e2d93d21b6457f92e20fd43a1e6d224bdd20279594a3925bf31602f8da2807d1cd4ca001a734f979f7ede52788582170751ec2cfc94e83d62e577f720c5ac48844f2a3d6b30c3411c3bf6d099bff1fd2df4967df64ac575c45d19bff506a380abcdeb0bf07a01b33821aa97f4a1af5e6d9878290060a6c7f9bde8720239398103615869db8731c32db55837db00e

SpyNote

86e8d3716318e9bb63b86aebe185db5db6718cb3ddea7fbafefa8ebfb674b9e8f03e39ab4f75842b66958670e9b0672dfde4c2b0a7a5353e8c017d6a7819eee61a79b87f5c7c0fad73d6b661675036f2dd0870bf86e7f98cda783bcb71e50c24b81febd19a457e6814d7e28d68742ae25fc4cf6472289a481e262048e9d8eee4daac37b4eb63b0fc5f8b61ed1d4c7d65a29e8a7a90a89a40dec8411c4f9d81d1703d62470d31866ccecb66f0083084c478e9e92916041216ec8d839afed0d0d61467ecfb133fc161de04e5f64d06bf9c3c5613b95d455197c233f75d8fac093916bd6c30038b75fb69e07ed10c24994fc8307c58e7b9642f72be33308cce4daee85d0d457f3294caddf743039e95deea3b58104ba0a786aa68ae355765b9e22cd39ca965fe421974185f6aa4c88c037414a54091654c69ce5c1ffa190a7ad611f6be62ae0b3908119ea6bf124158681cd566e912b36b69c42d59ffbcff02fe3a6d459e4478a1eaba287473330ebcb892ad278b87da3ec2d2cbc0fb0899c462f823010eed33c74314fb8c7b1520228889d3ed69837b89902b39ee74c3fb8d8e90

Command & Control

199.247.6[.]61 mskisdakw[.]top fsdlaowaa[.]top askkpl67[.]top cnhau1wq[.]top nhy58awn[.]top sakjhu5588[.]top

Shodan Hunting Queries

Tip: Look for fake Google Play Store sites or suspicious iframe JavaScript sources for file downloads.

http.html:”jscontroller=\”pjICDe\”” http.html:”jsaction=\”rcuQ6b:npT2md;” http.html:”sBw2N8uateIzRr93vmFze5MF_35vMk5F1wG04L5JcJE” OR http.html:”PJKdyVFC5jlu_l8Wo_hirJkhs1cmitmn44fgpOc3zFc” http.html:”VfPpkd-jY41G-V67aGc”  http.html:”iframe.src = \”javascript: ‘<script>location.href=\\\””

SpyNote Mobile ATT&CK Matrix

SpyNote Capability	MITRE ATT&CK Mobile Technique	Technique ID
Stealing SMS messages	Collect SMS Messages	T1636.004
Accessing and exfiltrating contact list	Contact List	T1636.003
Reading call logs	Call Log	T1636.002
Tracking GPS location	Location Tracking	T1430
Accessing and potentially stealing files from external storage	Data from Local System	T1533
Extracting device information (IMEI, system specs)	Device Information Discovery	T1640
Monitoring network traffic	Network Traffic Monitoring	T1657
Stealing photos	Data from Local System	T1533
Activating the device’s camera to capture photos or videos	Camera Capture	T1428
Recording audio from the device’s microphone	Audio Capture	T1429
Making phone calls	Make Phone Call	T1646
Intercepting incoming phone calls and recording them	Call Recording	T1645
Providing a shell terminal for remote command execution	External Remote Services	T1132
Keylogging (recording keystrokes)	Input Capture	T1478
Targeting credentials for various applications (banking, social media)	Credentials in Files	T1555.004
Extracting two-factor authentication (2FA) codes	Credentials in Files	T1555.004
Displaying content over other applications (clickjacking)	Overlay Windows	T1641
Remotely wiping data	Data Destruction	T1485
Remotely locking the device	Device Lockout	T1486
Remotely resetting the device password	Reset Device Password	T1535
Downloading and installing new applications without user consent	Install Other Software	T1534
Self-updating	Update Software	T1539
Deleting collected data from the SD card	File Deletion	T1574
Detecting other installed applications	Installed Application List	T1518
Capturing screen content	Screen Capture	T1656
Targeting cryptocurrency accounts (stealing private keys, wallet info)	Credentials in Files	T1555.004
Injecting web links into web view modules within applications	Webview Injection	T1556
Hiding its application icon from the app launcher	Hide Icons	T1668
Automatically starting malicious services after device reboot	Event Triggered Execution: Broadcast Receivers	T1624.001
Implementing “diehard services” that are difficult to shut down	Persistence via System Application	T1520
Excluding itself from battery optimization settings	Disable or Modify System Configuration: Disable Battery Optimization	T1546.003
Displaying continuous silent notifications to maintain a persistent presence	Abuse of OS Features: Notifications	T1529
Monitoring system settings for attempts to remove the application and blocking them	Prevent Application Uninstall	T1547
Hijacking accessibility services to simulate user inputs to prevent uninstallation	Abuse of Accessibility Features	T1550
Automatically navigating back to the device’s home screen when a user tries to access app settings	Application Manipulation	T1701

Reference: https://attack.mitre.org/matrices/mobile/