Beware of “Best Friend”: SpyNote Android Malware Spreading via WhatsApp
CYFIRMA has conducted an analysis of a malicious Android application designed to target high-value assets in South Asia. The sample was crafted using the SpyNote remote administration tool, suggesting that the targets may include entities of interest to APT groups. Specific details regarding the victims and affected regions remain undisclosed.
The malicious application was distributed via WhatsApp, with victims receiving four file variants named “Best Friend,” “Best-Friend 1,” “Friend,” and “best.” All versions were linked to a single command-and-control (C2) server. Once installed, the applications operated covertly in the background, employing code obfuscation to evade detection.
SpyNote leverages an array of permissions to access sensitive device data, including geolocation, contacts, SMS messages, device storage, and the camera. It is also capable of intercepting calls, collecting system information, and exploiting accessibility features to monitor screen activity and text input.
The malware was specifically engineered to harvest data such as the device’s IMEI number, SIM card information, Android version, and network type. This information was immediately transmitted to the C2 server. Additionally, the application captured screenshots and exfiltrated user data, including contacts, messages, and photos.
SpyNote, along with its variants SpyMax and Crax RAT, is actively utilized by hackers and APT groups like OilRig (APT34) and APT-C-37. These tools enable cybercriminals to surveil communications, exfiltrate data, and maintain persistent access to compromised systems.
Previous incidents involving SpyNote have impacted government agencies, NGOs, media outlets, and financial organizations. The current case points to the likely involvement of an unidentified APT group or another cybercriminal actor.
SpyNote remains a significant threat due to its availability on underground forums and Telegram channels. Attacks leveraging this tool underscore the preference of threat actors for reliable and potent instruments to compromise high-profile targets.
