Do Son 
A new generation of mobile spyware linked to the SpyMax/SpyNote malware families has been uncovered by ThreatMon researchers during the analysis of a cyber-espionage campaign targeting Chinese-speaking users. The malicious application masquerades as an official app from the Chinese Prosecutor’s Office and is distributed via fraudulent app stores. The primary targets are users in mainland China and Hong Kong.
A defining feature of this variant is its exploitation of Android accessibility features, enabling it to bypass security restrictions programmatically and gain access to an extensive array of system functions. This technical sophistication is paired with carefully crafted social engineering tactics and a highly realistic user interface, convincingly imitating legitimate government software.
Once installed, the app requests access to a broad range of system permissions. If granted, it gains near-complete control over the device. The malware can intercept messages, track geolocation, activate the microphone and camera—even initiate stealth recordings while the screen is off. Researchers note that this level of access enables prolonged covert surveillance and data theft.
Analysis revealed that the malicious APK—identified by the MD5 hash cc7f1343574f915318148cde93a6dfbc—was first detected on April 4, 2025. It employs a modular architecture comprising components that execute commands via the Runtime API, control the camera and microphone, transmit data over encrypted HTTPS connections, and activate specific behaviors based on screen state, battery level, or network activity. Data is categorized, encrypted, and deleted from the device after exfiltration.
The app requests high-risk permissions, including access to SMS, silent app installations, control over system overlays, and more—capabilities that enable complete surveillance and manipulation. This access allows the spyware to spoof app interfaces, initiate unauthorized financial transactions, subscribe users to premium services, and exfiltrate sensitive personal data.
A particularly insidious feature is a fraudulent Android accessibility settings interface, crafted as an HTML page with animations and interface elements identical to the legitimate ones, designed to deceive users into granting critical permissions.
To detect this spyware, researchers have developed a custom YARA rule and compiled a list of indicators of compromise (IOCs). These include the command-and-control IP address 165.154.110.64, a characteristic ICMP request pattern, encrypted communications, suspicious file storage paths, and unique application components.
Experts strongly advise organizations to strengthen mobile defenses through Mobile Device Management (MDM) policies, block known IOCs at the firewall level, and conduct regular training for staff on mobile phishing and counterfeit applications. Additional recommendations include network segmentation for mobile devices and continuous monitoring for anomalous background activity.
This case underscores the growing sophistication of mobile threats and illustrates how threat actors are leveraging platform capabilities and social engineering to circumvent built-in security mechanisms. Enhancing mobile cyber hygiene is no longer optional—it is essential for safeguarding both enterprises and individual users.
