SpyNote Spyware Returns with SMS Phishing Against Banking Customers

In its recent attack campaign, SpyNote Spyware is sending victims fake SMS messages urging them to install a new certified banking app.


  1. SpyNote spyware has been active since 2016, with a primary focus on targeting the banking sector.
  2. The latest campaign involves an extensive targeting of banks in Europe by the SpyNote spyware.
  3. SpyNote’s modus operandi involves sending fake SMS messages to victims, commonly known as smishing.

The cybersecurity firm Cleafy Threat Intelligence Team has revealed alarming findings about the Android spyware known as SpyNote, which has been increasingly targeting European financial institutions.

According to Cleafy’s report, over the past few months, an aggressive campaign utilizing SpyNote has been observed, posing significant threats to the security of bank customers. This malware exploits various techniques, including social engineering attacks and Accessibility services, to carry out bank fraud with ease.

The modus operandi of this spyware starts with a deceptive smishing campaign, where potential victims receive fake SMS messages urging them to install a “new certified banking app.” Subsequently, users are redirected to what appears to be a legitimate TeamViewer app but this is, in reality, the initial step to grant remote access to the victim’s device.

SpyNote Spyware Returns: SMS Phishing Targets European Banking Customers
One of the fake text messages used against Italian customers – Clicking on (bit.ly/SupportoRemoto) is still redirecting victims to TeamViewer QuickSupport app on Google Play Store. (Screenshot: Cleafy)

Key Features of SpyNote:

  1. Keylogger: Once granted Accessibility permissions, SpyNote can automatically accept other permission popups, perform keylogging activities, and collect sensitive information such as installed applications, app properties, and user inputs.
  2. SMS Collection & 2FA Bypass: SpyNote intercepts SMS messages, including two-factor authentication (2FA) codes, and transmits them to the attackers’ command-and-control (C2) server, bypassing the security measures implemented by financial institutions.
  3. C2 Communications: The spyware communicates with its C2 server via socket communication, employing various uncommon ports to avoid detection. Data exchanged between SpyNote and the server are packaged with a custom scheme, making it challenging to identify and block.
  4. Screen Recording and Defense Evasion: SpyNote can capture the device’s screen content using Media Projection APIs, granting attackers comprehensive control and access to critical information. The malware also employs obfuscation, anti-emulator controls, and hidden application icons to evade detection and analysis.

However, this is not the first time that SpyNote has been highlighted in a spyware campaign. Active since 2016, the spyware has been behind countless campaigns targeting various institutions. In 2017, SpyNote RAT was found on fake Android apps masquerading as Netflix, WhatsApp and Facebook.

  1. Advanced Vishing Attack “LetsCall” Targets Andriod Users
  2. FakeTrade Android Malware Attack Steals Crypto Wallet Data
  3. Triada Malware Infects Android Devices via Fake Telegram App
  4. Global Android Malware Attack Imitates VPN and Security Apps
  5. Popular Android Screen Recorder iRecorder App Exposed as Trojan
Related Posts