A new report out today from internet intelligence company DomainTools LLC warns that threat actors are using newly registered domains to deliver the SpyNote Android remote access trojan via sites that mimic Google Play app installation pages.

In trying to imitate legitimate Google Play app listings, the cloned pages often feature image carousels and familiar visual elements to create the illusion of legitimacy, prompting unsuspecting users to download malicious APK files. One example mimicked the TikTok installation page, using remnants of older app references such as “com.zhiliaoapp.musically” in the site code.

The downloaded files include variants of SpyNote, an Android RAT capable of conducting surveillance, harvesting sensitive data and executing remote commands on compromised devices. Spynote first appeared in 2016 and has popped up in various campaigns over the years, including one targeting Netflix Inc. users in 2017.

The SpyNote malware is delivered in a two-stage process: An initial dropper APK installs a second embedded APK that houses the core spyware functionality. DomainTools found that the dropper uses JavaScript to create a hidden iframe that silently initiates the download process when a user clicks the fake install button.

DomainTools’ analysis revealed that the domains distributing SpyNote share a number of common traits. Many of the domains were found to be registered with NameSilo LLC and XinNet Technology Corp. and are hosted on infrastructure tied to Lightnode Ltd and Vultr Holdings LLC.

The SSL certificates and DNS configurations were also found to point to a systematic and automated deployment of the malicious sites, most likely undertaken by a threat actor with access to builder kits or malware-as-a-service tooling.

Notably, the malware delivery sites include code and comments in both English and Chinese, suggesting that a Chinese-speaking threat actor is behind the campaign. The threat actor also uses Chinese-language domains and infrastructure, although DomainTools notes that definitive attribution remains speculative without more direct evidence.

SpyNote has been previously linked to advanced persistent threat groups such as OilRig (APT34), APT-C-37 (Pat-Bear) and OilAlpha. The groups have historically targeted individuals in South Asia, including Indian defense personnel.

Once installed, SpyNote requests an array of intrusive permissions, including access to SMS, contacts, call logs, camera, microphone and location services. The malware can record phone calls, capture keystrokes, take screenshots and even prevent its own uninstallation through abuse of accessibility features.

The malware’s persistence mechanisms make it particularly difficult to remove. SpyNote can automatically relaunch after reboot, hide its app icon and exclude itself from battery optimization to remain running in the background.

The DomainTools researchers are urging mobile users and enterprise security teams to remain vigilant against spoofed app pages and to avoid sideloading APKs from unknown sources.

Image: SiliconANGLE/Reve