The Android banking trojan known as SpyNote has been deconstructed, revealing its multifaceted information-gathering capabilities.

According to F-Secure, the attack chains that deploy this spyware mainly propagate through SMS phishing operations. These chains are intricately designed to mislead potential victims into installing the program by enticing them to click on an embedded link within a message.

[FREE E-BOOK] The Definite Blueprint for Cybersecurity in Manufacturing

SpyNote is infamous for its ability to hide its presence from the Android home screen and the Recents panel, making it challenging to detect. It employs this stealth technique alongside requesting extensive permissions, such as accessing call logs, camera, SMS messages, and external storage of the device..

“The SpyNote|malware app can be launched via an external trigger,” a researcher at F-Secure named Amit Tambe stated in a recent analysis. “Upon receiving the intent, the malware app launches the main activity.”

However, its most significant action lies in requesting accessibility permissions, subsequently leveraging them to obtain additional privileges. This includes the capacity to record audio and phone calls, track keystrokes, and capture screenshots utilizing the MediaProjection API.


Upon more profound analysis of the virus, the discovery of diehard services has emerged. These components are deliberately crafted to resist removal efforts, whether initiated by the infected users or the operating system itself.

This can be achieved by registering a broadcast receiver within the software capable of automatically restarting the device whenever an attempt to power it off is made. Furthermore, attempts by users to remove the malicious software via the Settings menu are thwarted. The app accomplishes this by closing the menu screen through the abuse of accessibility APIs, preventing users from uninstalling it.

“The SpyNote sample is spyware that logs and steals a variety of information, including key strokes, call logs, information on installed applications, and so on,” according to Tambe. “It stay hidden on the victim’s device, making it difficult to notice,” adds the researcher. Moreover, it significantly complicates the uninstallation process.

“The victim is eventually left only with the option of performing a factory reset, losing all data, thereby, in the process.”

This revelation coincides with a report from a Finnish cybersecurity company, which details a counterfeit Android software that masquerades as an operating system update. Its deceptive tactic is to lure unsuspecting targets into granting it accessibility service permissions, enabling the theft of SMS and banking data. The disclosure regarding this fake Android app aligns with the timing of the report.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

immediate help

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center