SMS Alert Scams: The Rising Threat of SpyNote Malware Installation


Published on Jul 26, 2023   —   2 min read

In a recent development, cybercriminals are exploiting SMS alerts, a common communication method, to install the notorious SpyNote malware on unsuspecting victims' devices. This malicious campaign has primarily targeted Japanese Android users, cleverly masquerading under the guise of a local Power and Water Infrastructure company.

The Modus Operandi: Exploiting Urgency

The hackers' strategy involves sending SMS alerts to users about urgent payment issues related to their water or power infrastructure. These messages are carefully crafted to create a sense of urgency, prompting the victims to act swiftly. The SMS contains a deceptive link that, when clicked, redirects victims to a phishing site where the SpyNote malware is stealthily downloaded onto their mobile devices.

The Diverse Contexts of Smishing Campaigns

The context of these smishing campaigns varies, with some messages warning about the suspension of power transmission due to non-payment, while others alert about the suspension of water supply for the same reason. Victims who visit these malicious URLs are unknowingly prompted to install the SpyNote malware.

SpyNote Malware: A Silent Threat

SpyNote, whose source code was leaked in October 2022, has since been widely adopted by cybercriminals for malicious purposes. This stealthy malware is capable of exploiting accessibility services and device administrator privileges, stealing sensitive information like device location, contacts, SMS messages, and phone calls. Once installed, the malware disguises itself with a legitimate app icon to blend in with other applications.

The Deceptive Application: A Wolf in Sheep's Clothing

Upon opening the application, victims are prompted to enable the Accessibility feature. If the victim grants permission, the application disables battery optimization, allowing it to run in the background. It also grants unknown source installation permission, enabling the installation of additional malware without the user’s knowledge or consent.

Previous Attacks and the Importance of Vigilance

Previously, this malware was found attacking the Bank of Japan in April, where it was distributed using a different method. Threat actors keep up-to-date information about companies with legitimate reasons to contact their customers, making their attacks more convincing. Users of mobile devices are recommended to stay vigilant against such Smishing campaigns. Always verify the source of any SMS alerts and avoid clicking on suspicious links.

Indicators of Compromise and Final Thoughts

Stay up-to-date with the latest Cyber Security News to protect yourself from emerging threats. Here are some indicators of compromise to watch out for: Command and Control Server: 104.233[.]210.35:27772, Malware Samples SHA256 Hashs can be foudn here. Remember, in the digital world, caution is the best defense against cyber threats.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.