Android remote access trojan SpyNote has been deployed through fraudulent Google Play websites on newly registered domains as part of a new attack campaign, reports Infosecurity Magazine.
Suspected China-linked threat actors have created seemingly legitimate Google Play listings for TikTok and other widely used apps that facilitate malicious APK file downloads upon clicking the fake "Install" button, findings from DomainTools showed. Installation of the APK prompts the delivery of another APK, which results in the execution of SpyNote that features text message, call log, and contact intercepting, remote camera and microphone activating, GPS tracking, keystroke logging, and phone call recording capabilities. Aside from allowing the installation of more malicious apps, SpyNote also exploits accessibility services for persistence, according to DomainTools researchers. Such a development comes after SpyNote which was previously linked to the APT-C-37 and APT34, or OilRig, advanced persistent threat operations was leveraged in cyberespionage attacks against the Indian military.
Suspected China-linked threat actors have created seemingly legitimate Google Play listings for TikTok and other widely used apps that facilitate malicious APK file downloads upon clicking the fake "Install" button, findings from DomainTools showed. Installation of the APK prompts the delivery of another APK, which results in the execution of SpyNote that features text message, call log, and contact intercepting, remote camera and microphone activating, GPS tracking, keystroke logging, and phone call recording capabilities. Aside from allowing the installation of more malicious apps, SpyNote also exploits accessibility services for persistence, according to DomainTools researchers. Such a development comes after SpyNote which was previously linked to the APT-C-37 and APT34, or OilRig, advanced persistent threat operations was leveraged in cyberespionage attacks against the Indian military.
