Home Malware Programs Remote Administration Tools SpyNote RAT

SpyNote RAT

Posted: September 19, 2019

The SpyNote RAT is a Remote Access Trojan that can collect information from Android devices or modify them according to an attacker's commands. Since both the SpyNote RAT's source code and a user-friendly Trojan builder for it are available to the public, infection exploits may not be predictable, but it often uses fake application disguises. Suitable anti-malware programs can remove a SpyNote RAT from your device or prevent infections at the dropper stage.

Application Installers where Nothing Happens, Except Trojans

A versatile and highly-invasive Trojan like the SpyNote RAT is part of the new normal for smartphones and other, Android devices, just as Windows and Linux have been dealing with similar threats for years. It gives a threat actor control over contacts and even microphones, but first, the RAT has to install itself. Most campaigns leveraging this Trojan do so through psychological attacks that abuse well-known application brands.

Different variants of the SpyNote RAT, including the recently-prominent MobiHok RAT, are possible through the threat actor's directly modifying the public source code or, more conveniently, using a Trojan builder application. Most campaigns that use the SpyNote RAT are using installers that pretend that the Trojan is an application for Netflix, Whatsapp, Instagram, Google Update, Facebook, Pokemon Go and other brands. In most instances, the user's allowing the installation causes the brand-appropriate shortcut icon's disappearance, wiping out the visual evidence of the SpyNote RAT infection.

However, the SpyNote RAT remains operational through a combination of Android-specific persistence exploits, via abusing Broadcast Receivers, Services, and other components. Although malware experts found that the SpyNote RAT can accept and execute commands from the attacker's server, the majority of its features involve collecting information. The SpyNote RAT can record the device's microphone, take screenshots, harvest contact lists and collect SMS messaging content.

Why What's not Visible Still Hurts You (or Your Phone)

The SpyNote RAT removes the usual visual indications of an application's presence from the UI but starts up with the device every time, thanks to a custom boot event. An associated service, Auto-startup, also makes sure that the SpyNote RAT's process stays in memory. Meanwhile, the SpyNote RAT can express complete control over what programs are running, including uninstalling ones that the threat actor tells it to remove, such as anti-virus solutions.

Users should be concious of the dangers of downloading unvetted applications from third parties, especially, which includes general-purpose shareware archives and phishing sites that pretend to be such. Unfortunately, even legitimate sources like Google's Play store, sometimes, experience security compromises that result in the temporary distribute of a fake or threatening application. Always check reviews for reports of suspicious activity from an application and scan your downloads with suitable security products for your device.

Symptoms of the infection are minor, and users should disable network connectivity until they've determined whether or not they're experiencing problems related to this threat. Most anti-malware programs for Android should delete the SpyNote RAT automatically, although threat actors may update their variant for improved evasive techniques.

The SpyNote RAT offers a sweeping scope of informational theft to anyone who wants to use it – which is a significant portion of the actors in the Android Trojan industry. Although it's a years-old problem, updates to it, like the MobiHok RAT, are doing their part to keep it relevant to today.