A builder for the capable SpyNote Android RAT is being freely distributed on several underground hacker forums.
SpyNote is capable of viewing messages on the infected device, listening to calls made from it, collecting device information and GPS location, exfiltrating contacts and files, turning on the device’s microphone for real-type spying purposes, activating the camera, but also making calls from the device, installing new (malicious) APKs, and updating itself.
And it is capable of doing all of this without gaining root access to the device, Palo Alto Networks’ researchers warn.
This video demonstrates what an attacker can do with an infected device:
The builder configures the RAT to contact a specific C&C server over a specific port.
Once it is installed, the malware removes its icon in order to pass under the radar.
The malware itself is not difficult for experts to analyze, as its code is neither obfuscated nor protected.
Researchers believe we can almost surely expect an uptick of distribution campaigns delivering this particular piece of malware now that the builder has been leaked, but so far they haven’t spotted any.
The good news – for cautious users, anyway – is that SpyNote requires users to give many permissions to be able to effect all of the actions mentioned above, so it’s not like it can pass unnoticed by all users.
Unfortunately, there are always going to be those who are careless or simply don’t understand what these permissions mean. For those, mobile security solutions are a good investment.