SpyNote Targets Crypto Wallets Through Android Exploitation

Sophia Taylor

By Sophia Taylor


The cybersecurity landscape is witnessing the resurgence of the infamous SpyNote spyware, this time with a focus on pilfering cryptocurrency by exploiting Android’s Accessibility APIs. This development, outlined in a comprehensive report by FortiGuard Labs, marks a significant evolution in the capabilities of the SpyNote developers. Originally known for harvesting user credentials, they’re now orchestrating cryptocurrency transactions by manipulating users and their digital wallets.

What is the exploit?

SpyNote, a Remote Access Trojan (RAT) with a notorious reputation, has set its sights on prominent crypto wallets. It leverages the Accessibility API—a feature designed to facilitate users with disabilities by automating UI interactions, like capturing device unlocking patterns. The spyware cleverly misuses this API to auto-fill forms, substituting the recipient’s wallet address and transaction amount with that of the attackers, thereby rerouting funds to the cybercriminals’ wallets. This process is stealthily executed, sending the commandeered data to a remote server to finalize the fraudulent transactions without the user’s knowledge.

A disturbing instance of this strategy was identified on February 1st, where a malicious application, masquerading as a legitimate crypto wallet and laden with the SpyNote RAT alongside anti-analysis properties, was discovered. This incident underscores the attackers’ primary focus on mobile users who utilize crypto wallets or banking apps.

Visual evidence shared by researchers highlights the malware’s tactic of requesting Accessibility Service access. The Android operating system issues additional warnings, but granting permission enables the malware to proceed with its malicious operations. Conversely, denying access blocks the malware’s attempts to exploit the device.

Screenshot: FortiGuard Labs

The evolution of SpyNote has been closely monitored since its initial discovery in 2016 by Palo Alto’s Unit 42, who found the RAT on a darknet forum aimed at users downloading APK apps. This allowed attackers remote control over the compromised devices and facilitated sideloading on Android platforms.

Subsequent discoveries in 2017 by Zscaler IT security researchers revealed fake applications infected with the SpyNote RAT, granting attackers remote administrative control over Android devices. The malware was found in counterfeit versions of popular apps, indicating a new variant of the SpyNote RAT was in circulation.

"SpyNote's shift towards financial gain, particularly in the realm of cryptocurrencies, reflects a broader trend in cybercrime. Attackers are increasingly exploiting the lucrative opportunities presented by the burgeoning crypto market."

Simon Lewis, Co-Founder of Certo

With a history spanning over several years, SpyNote has become a prevalent form of Android malware, amassing over 10,000 samples with various iterations. More recently, the malware shifted focus towards banking fraud, targeting European financial institutions with social engineering and misusing Accessibility services. Victims were tricked into installing a deceptive “certified banking app,” granting attackers remote access to their devices.

The exploitation of the Accessibility API by malware, often under the guise of benign applications, poses a significant risk, particularly to users with disabilities. Android users are urged to exercise caution with apps requesting Accessibility API access, especially those purporting to be crypto wallets, PDF readers, or video players, treating such requests with skepticism and heightened vigilance.