Overview

In the context of increasingly dangerous cyberattack campaigns, spyware and malware have also become more common and sophisticated than ever. In June, the FPT Threat Intelligence team recorded a new espionage campaign targeting Android users, where the SpyNote malware was disguised as familiar applications to trick users into downloading and installing the malicious code on their devices.

What is SpyNote?

SpyNote is known as spyware (Android RAT - Remote Access Trojan) designed to remotely control Android devices, collect personal data, and monitor users without detection.

Trojan SpyNote có khả năng “ẩn mình” cực nguy hiểm

Variants of SpyNote often come with many particularly dangerous functions that pose high risks to information systems:

Control the camera or microphone to secretly record audio or video.
Record and send real-time GPS location.
Browse, delete, or copy files on the device.
Log all keystrokes (passwords, messages, etc.).
Record incoming and outgoing calls.
Install, delete, or hide other apps.
Disguise itself as legitimate apps like Google Translate, Facebook, DHL, etc.
View, block, or send SMS without detection.

SpyNote became well-known at the end of 2022 when its source code was leaked online, leading to the continuous emergence of its variants with increasingly sophisticated tactics. They hide within familiar applications like Google Translate, Temp Mail, Deutsche Postbank, etc. Not only are they sophisticated in appearance, but this malware also spreads through public directories on the internet, demonstrating a dangerous combination of weak server configurations and sophisticated camouflage techniques used by attackers.

Android Spyware

In addition, SpyNote continuously exploits new vulnerabilities to infiltrate devices and steal sensitive data, which is then sent to C2 servers for management. The diverse C2 network helps attackers maintain communication and avoid being quickly disabled.

Cuộc điều tra của các chuyên gia đã phát hiện hàng loạt tệp tin .apk chứa mã độc SpyNote nằm trong các thư mục công khai (open directory) trên internet, nơi lưu trữ mà bất kỳ ai cũng có thể truy cập và tải xuống.

Dangerous Variants

SpyNote.C (2022–2023): Spread through SMS or disguised as a banking app. Records calls and takes screenshots.

SpyNote 6.4 (2023): Open source leaked on GitHub – easily exploited by new criminals.

Google Translate Fake (2025): Disguised as Google Translate, TempMail, Postbank, distributed via AWS & DuckDNS.

Real Risks

Unsuspecting users: The fake interface looks exactly like the real one, making users feel safe installing it from unofficial sources.
Comprehensive data collection: From location, contacts, messages, call logs to personal files, photos, and even requests for full device access.
Remote monitoring & control: SpyNote can record audio, take photos, control the camera/microphone, log keystrokes, and even manage apps and delete data.
Difficult to remove & neutralize: The C2 infrastructure is spread across dynamic DNS and multiple servers, allowing the software to persist even if one server is taken down.

How Android SpyNote Works

Camouflage Techniques
- Initially, hackers use APK files named and designed to look exactly like real apps, such as Translate.apk and Google.apk, mimicking the real Google Translate app almost entirely. These fake APK files are distributed by hackers through:
  - Email/phishing
  - Open directories
  - Telegram, Discord, crack APK channels
  - Fake websites (Google Translate, DHL, Netflix…)

Android Spyware

However, in the Accessibility permission request section, there is still a placeholder line saying "Enable [MY-NAME]"—a clear sign of careless customization.

System Exploitation

After installation, SpyNote requests "device admin" rights and Accessibility services. These permissions allow the malware to:
- Continuously track location.
- Read SMS, call history, contacts.
- Log keystrokes (keylogging) and activate the microphone/camera.

Contact and Control
- After tracking and collecting user information, the software continuously connects to control servers (C2) via DuckDNS or Cloudflare at various IPs such as 18.219.97.209:8080, 156.245.20.17:7771, 95.214.177.114:3210… The diverse C2 network helps attackers maintain communication and avoid quick neutralization.

Summary

The SpyNote campaign is extremely dangerous because it combines several techniques: comprehensive spying, disguising as reputable apps, flexible C&C infrastructure, and the ability to monitor and control infected devices remotely. Its spread through open directories highlights the need for caution when downloading unknown APKs, carefully evaluating permissions, and using security/threat intelligence tools for early detection.

Recommendations

Do not install apps from outside the Google Play Store.
Do not grant Accessibility or Admin rights to unknown apps.
Install reputable antivirus software (Kaspersky, BitDefender, Malwarebytes…).
Check the Device Admin and Accessibility lists in settings.
Do not click on strange links or download APKs from Telegram/Facebook.

IOC

C2 IP Addresses & Ports
- 156.245.20.17:7771
- 18.219.97.209:8081
- 95.214.177.114:3210
- 66.42.63.74:8282
- 213.136.80.208
- 82.137.218.185:215
- 139.45.197.252:443
Domain / Dynamic DNS C2
Hash of malicious APKs
- Translate.apk & Google.apk (SHA‑1): 3aad911b21907053a69b49086a6396c50714accb
- Temp_20Mail.apk (SHA‑1): 5b9bfa06d05172f61d1ee19724fcd12cec110353
- postbank.apk (SHA‑1): dc9a821f1e061098188503dbf7518bf263334fcd
- SpyNote RAT fake Adobe Reader:
  - Package: com.editorpdf.acrobat
  - Hash (MD5): F115C634016A9199054358515C19B40
Malicious hosting/linking domains
- kmyjh.top/002.apk

The Android spyware SpyNote has attacked users worldwide through Google Translate and Temp Mail.