There has been a massive wave of cyber attack on various European bank customers’ account in different European banks. Bank customers are being targeted with an Android banking Trojan called SpyNote which acts a spyware in a part of an aggressive campaign detected in June and July 2023.
A spyware is a malicious software that is used for monitoring victims of cyber attacks and is distributed though phishing or smishing campaign. This fraudulent activity is executed in two ways, the first being through a Remote Access Trojan (RAT) capabilities, and vishing attack as reported by Cleafy, an Italian cybersecurity firm in a technical analysis released on Monday.
This SpyNote, also called SpyMax is just like other Android banking Trojans in functionality as it requires Android Accessibility Permissions so as to grant itself other necessary permissions and gather sensitive information from infected devices. It’s distinctive feature rather is the double role of acting as a spyware and also performing bank fraud.
Just like ordinary spyware, it commences its attack when it is sent across through bogus SMS message to a target who may go ahead to install it erroneously as a banking app by clicking on the accompanying link. This connects the victim to a legitimate TeamViewer QuickSupport app available on the Google play store.
The aim of the attacker is to use TeamViewer as a conduit to gain remote access to the victims phone, and stealthily install the malware. Various information that can be harvested by SpyNote are, geolocation data, keystrokes, screen recording, and SMS messages that can be employed in bypassing SMS-based two factor authentication.
Note that TeamViewer has been deployed multiple times to execute malicious actions by threat actors through social engineering attacks. An Italian security researcher, Francesco Lubatti in a statement he made earlier said, “in particular, the attacker calls the victim, impersonating bank operators, and performs fraudulent transactions directly on the victims device.”
This disclosure was a result of a recent revelation of the activities of a hack-for-hire operations known as “Bahamut” which was deployed previously in South Asia and the Middle East regions with the aim of installing a dummy chat app named SafeChat that conceals an Android malware dubbed Coverlm.
These malicious apps has a common way of operating in such that when it is delivered to a targeted victim, it requests for accessibility permissions and others to collect call logs, contacts, files, locations, SMS messages, as well as installing additional apps and steal data from social media platforms such as Facebook messenger, imo, Signal, WhatsApp, Viber, and Telegram.