Cybersecurity researchers have found that threat actors are setting up deceptive websites hosted on newly registered domains to deliver a known Android malware called SpyNote.
These bogus websites masquerade as Google Play Store install pages for apps like the Chrome web browser, indicating an attempt to deceive unsuspecting users into installing the malware instead.
“The threat actor utilized a mix of English and Chinese-language delivery sites and included Chinese-language comments within the delivery site code and the malware itself,” the DomainTools Investigations (DTI) team said in a report shared with The Hacker News.
SpyNote (aka SpyMax) is a remote access trojan long known for its ability to harvest sensitive data from compromised Android devices by abusing accessibility services. In May 2024, the malware was propagated via another bogus site impersonating a legitimate antivirus solution known as Avast.
Subsequent analysis by mobile security firm Zimperium has unearthed similarities between SpyNote and Gigabud, raising the possibility that the same threat actor or actors are behind the two malware families. Gigabud is attributed to a Chinese-speaking threat actor codenamed GoldFactory.
Over the years, SpyNote has also seen some level of adoption by state-sponsored hacking groups, such as OilAlpha and other unknown actors.
The clone websites identified by DTI include a carousel of images that, when clicked, download a malicious APK file onto the user’s device. The package file acts as a dropper to install a second embedded APK payload via the DialogInterface.OnClickListener interface that allows for the execution of the SpyNote malware when an item in a dialog box is clicked.
“Upon installation, it aggressively requests numerous intrusive permissions, gaining extensive control over the compromised device,” DTI said.
“This control allows for the theft of sensitive data such as SMS messages, contacts, call logs, location information, and files. SpyNote also boasts significant remote access capabilities, including camera and microphone activation, call manipulation, and arbitrary command execution.”
The disclosure comes as Lookout revealed that it observed over 4 million mobile-focused social engineering attacks in 2024, with 427,000 malicious apps detected on enterprise devices and 1,600,000 vulnerable app detections during the time period.
“Over the course of the last five years, iOS users have been exposed to significantly more phishing attacks than Android users,” Lookout said. “2024 was the first year where iOS devices were exposed more than twice as much as Android devices.”
Intel Agencies Warn of BadBazaar and MOONSHINE
The findings also follow a joint advisory issued by cybersecurity and intelligence agencies from Australia, Canada, Germany, New Zealand, the United Kingdom, and the United States about the targeting of Uyghur, Taiwanese, and Tibetan communities using malware families such as BadBazaar and MOONSHINE.
Targets of the campaign include non-governmental organizations (NGOs), journalists, businesses, and civil society members who advocate for or represent these groups. “The indiscriminate way this spyware is spread online also means there is a risk that infections could spread beyond intended victims,” the agencies said.
 |
| A subset of app icons used by samples of the MOONSHINE surveillance tool as of January 2024 |
Both BadBazaar and MOONSHINE are classified as trojans that are capable of gathering sensitive data from Android and iOS devices, including locations, messages, photos, and files. They are typically distributed via apps that are passed off as messaging, utilities, or religious apps.
BadBazaar was first documented by Lookout in November 2022, although campaigns distributing the malware are assessed to have been ongoing as early as 2018. MOONSHINE, on the other hand, was recently put to use by a threat actor dubbed Earth Minotaur to facilitate long-term surveillance operations aimed at Tibetans and Uyghurs.
The use of BadBazaar has been tied to a Chinese hacking group tracked as APT15, which is also known as Flea, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda.
“While the iOS variant of BadBazaar has relatively limited capabilities versus its Android counterpart, it still has the ability to exfiltrate personal data from the victim’s device,” Lookout said in a report published in January 2024. “Evidence suggests that it was primarily targeted at the Tibetan community within China.”
According to the cybersecurity company, data collected from the victims’ devices via MOONSHINE is exfiltrated to an attacker-controlled infrastructure that can be accessed via a so-called SCOTCH ADMIN panel, which displays details of compromised devices and the level of access to each of them. As of January 2024, 635 devices were logged across three SCOTCH ADMIN panels.
In a related development, Swedish authorities have arrested Dilshat Reshit, a Uyghur resident of Stockholm, on suspicion of spying on fellow members of the community in the country. Reshit has served as the World Uyghur Congress’ (WUC) Chinese-language spokesperson since 2004.
