There is an interesting post at f-secure blog:
“Take A Note of SpyNote”
Malware may install itself on your phone (if you allow it) and then it will ask you all kinds of questions like: “When you want to install the application, a notification appears asking for permission to access phone calls, photos and videos, contacts, GPS, audio recordings, and so on.”
(It just so happens that an Indonesian site did some testing with the malware with interesting results).
Vika downloaded and installed SpyNote (to see how it works) and found out the above wording – it is on an Indonesian site: https://cyberthreat.id/read/7219/SpyNote-Malware-Pengintai-Ponsel-Android
(.id = Indonesian Country code) – I translated the words with Google translate so i am sure it is not 100% accurate, but it gives the meaning.
What I understood after translating and reading his experiment is that he did not want to install spynote by itself, so he piggybacked it inside another app (also to see if that works). You can see his image as a screenshot from his website. The sentence in Indonesian translates to: “Vikas created an application by inserting SpyNote malware”
Then he shows how he created an app on an Android phone to test the capability.
What happens if you install an app that you are not familiar with outside of Google Play store? An outside link has no Google (or Apple ) checks. This secret app now includes SpyNote which runs on the phone to become malware or spyware. This secret app will now spy and record all your keystrokes everywhere.
Are you entering your password on your bank app? The secret app now has it. Thus it is a unique method of inserting malware onto the phone infrastructure of millions of people.
Of course one has to click on something which downloads the ‘bad’ app and then tell it to go ahead and install anyway. But people install stuff on their phones and computers without thinking these days.
Then on top of that if one says ok to the permission question? “Access phone calls, photos and videos, contacts, GPS, audio recordings”, or whatever the hacker has created. Now the hacker can record all of the items you allowed them to record.
It is an interesting hack and the Proof of concept has been completed by Vikas at cyberthread.id. as well as f-secure blogpost “Take a note of SpyNote”. F-secure notes that this type of malware on the Android infrastructure spreads via Smishing (malicious text/SMS messages). They analyze all the permissions requests:
I am not sure of all of Indonesia but this person may be furthering the red team efforts or the hacker efforts wittingly or unwittingly. This is how this kind of info spreads, and we have to deal with the consequences. F-secure is doing malware research for their own products. The methods of how the malware works is important if you are trying to detect it. Very soon many other vendors will also develop a defense to this.
This does not mean you should depend on the vendor only, you should have all the defenses so that the attacker has to go through many hurdles.
((Adding bleepingcomputer weblink))
They note that this malware has been in the wild since 2022 but has not taken over a lot of systems until January 23 where the source code of the malware was leaked. (this is typical as the attackers need time to create a good attack while modifying the code until it does). There is more on SpyNote on other websites. I will add more here when I think it is necessary.