SpyNote

SpyNote is an Android remote access trojan (RAT) / spyware family, also referred to in the content alongside SpyMax, with variants detected as Trojan-Spy.AndroidOS.SpyNote.* and Android.SpyMax. It is described as a paid or commercially available Android RAT whose source code has also been reused to produce related variants such as SpyMax, Crax RAT, and Eagle Spy. The malware is commonly disguised as legitimate Android applications and delivered through fake apps, social media posts, messaging platforms such as WhatsApp and Telegram, phishing pages, unofficial sources, and in some cases infrastructure hosted on Proton66/PROSPERO-linked networks. One reported campaign active since at least March 2020 distributed SpyNote and 888 RAT via dedicated Facebook profiles targeting the Kurdish ethnic group; another targeted high-value individuals in Southern Asia via WhatsApp-delivered payloads. SpyNote-based APKs were also noted as likely related to targeting of Tibetan individuals and organizations, and prior reporting cited use by groups including OilRig/APT34, APT-C-37, OilAlpha, and BladeHawk. The content also notes broader Android targeting of government agencies, NGOs, media organizations, financial institutions, activists, and mobile users in multiple regions.

Capabilities directly described in the content include full remote control of infected Android devices; collection of device information such as IMEI, IMSI, SIM and network details; access to contacts, SMS, call logs, files, and precise location; camera access; microphone/audio recording; screenshot capture; monitoring of incoming and outgoing calls; accessibility-service abuse for on-screen monitoring, keylogging, UI automation, and hindering app removal; overlay-based credential phishing and OTP theft; SMS interception including banking one-time passwords; SMS sending and premium-rate SMS fraud; dynamic code loading; reflection-based evasion; emulator/anti-analysis checks; and device administrator abuse including screen lock, password reset, and attempted wipe functionality. The content further states that SpyNote uses raw TCP sockets for command-and-control and stores C2 configuration and tokens in SharedPreferences.

High-confidence indicators and examples mentioned in the content include the C2 IP 182.191.122.219 from a Southern Asia-targeted SpyNote case; Android package elimination.kitchen.secured and app name GoosApp identified as SpyNote/SpyMax; hashes including SHA-256 7129d6c57182f4e53a4fd0f6aac15de30ffc5bfa34bc639a19ee39d2856b3c07 and MD5 b2c5e29222f57cf91d30d37b8ec54cc3 for that sample; certificate SHA-256 465983f7791f2abeb43ea2cbdc7f21a8260b72bc08a55c839fc1a43bc741a81e; receiver elimination.kitchen.AdminReceiver; and four additional SHA-256 values from the CYFIRMA case: 8AA1A66E03596C0EBA6F91FB081DDB4081F43B02D421E069C6BE8BBF5D399B89, 0552137AAA2C9419C8843D50BCB15A4C80913ED47EB71C5E5AB9B5AC257944ED, 6127DAF756865EE089BA83EFDADEBDA2C047026A698759DE09127D0DFE630E8D, and A70089301FF628F09B90B269F6E8F5C6B5AE0B3073028ABCC62FEC9D2F1C954C. The content also notes that SpyNote has been prevalent in mobile threat telemetry, with multiple variants appearing among top Android malware verdicts, and that it has been used for surveillance, extortion, and identity theft.