Cybersecurity researchers have discovered that threat actors set up deceptive websites hosted on newly registered domains to provide known Android malware called Spynote.
These fake websites pretend to be the Google Play Store installation page for apps such as the Chrome Web browser.
“The threat actors used a combination of English and Chinese delivery sites to include Chinese comments in the distribution site code and the malware itself,” the Domaintools Survey (DTI) team said in a report shared with Hacker News.
Spynote (aka Spymax) is a remote access trojan that has long been known for its ability to harvest sensitive data from compromised Android devices by abusing accessibility services. In May 2024, the malware was propagated through another fake site, impersonating a legitimate antivirus solution known as Avast.
Subsequent analysis by mobile security company Zimperium unearthed the similarities between Spynote and Gigabud, increasing the likelihood that the same threat actor or actor is behind two malware families. Gigabud is attributed to the Chinese-speaking threat actor CodeNead GoldFactory.
Over the years, Spynote has also seen some recruitment by state-sponsored hacking groups, including Soilalpha and other unknown actors.
The cloned website identified by DTI contains a carousel of images that download malicious APK files to the user’s device when clicked. The package file acts as a dropper to install a second embedded APK payload via the Dialoginterface.onclickListener interface, which allows the Spynote malware to be run when an item in the dialog box is clicked.
“When installed, it actively requires a large number of intrusion permits and extensive control over the compromised devices,” DTI said.
“This control allows for theft of sensitive data such as SMS messages, contacts, call logs, location information, and files. Spynote also boasts important remote access features such as camera and microphone activation, call operations, and execution of any command.”
The disclosure revealed that it observed over 4 million mobile-centric social engineering attacks in 2024, resulting in 427,000 malicious apps and 1,600,000 vulnerable app detections on enterprise devices over the period.
“In the past five years, iOS users have been exposed to far more phishing attacks than Android users,” Lookout says. “2024 was the first year iOS devices exposed more than twice as much as Android devices.”
Intel agencies warn about Badbazaar and Moonshine
The findings also follow a joint consultation issued by Cybersecurity and Intelligence Agency from Australia, Canada, Germany, New Zealand, the UK and the US on targeting communities in Uyghur, Taiwan, and Tibetan.
The campaign’s targets include civil society members who advocate or represent these groups, non-governmental organizations (NGOs), journalists, businesses, and civil society members. “The indiscriminate way this spyware spreads online means there is a risk that the infection can spread beyond its intended victim,” the agency said.
Both Badbazaar and Moonshine are classified as Trojans that can collect sensitive data from Android and iOS devices, including locations, messages, photos, files, and more. It is usually distributed through apps that are inherited as messaging, utilities, or religious apps.
Badbazaar was first documented by Lookout in November 2022, but the campaign to distribute malware is rated as continuing as early as 2018. Meanwhile, Moonshine was recently used by a threat actor called Earth Minotaur to promote long-term surveillance operations aimed at Tibetans and Uyghurs.
The use of Badbazaar is tied to a Chinese hacking group tracked as the chisel, the Nylon Age (formerly nickel), the playful Taurus, the Royal APT, and the APT15, also known as the Vixen Panda.
“The iOS variant of Badbazaar has relatively limited functionality with its Android counterpart, but still has the ability to exclude personal data from victims’ devices,” Lookout said in a January 2024 report.
According to the cybersecurity company, data collected from victim devices via Moonshine has been extended to an attacker-controlled infrastructure that can be accessed via the so-called Scotch Management Panel. As of January 2024, 635 devices were recorded in three Scotch admin panels.
In related developments, Swedish authorities arrested Dilshat Lesit, a Uyghur resident in Stockholm, on suspicion of spying on fellow members of a community around the country. Reshit has been the world’s Uyghur Congress’ (WUC) Chinese spokesman since 2004.
Source link
