SpyNote¶
SpyNote is a freely available Android Remote Access Trojan (RAT) builder that has been circulating on underground forums since 2016. Its significance comes not from technical sophistication but from accessibility: anyone with basic technical skills can generate a fully functional Android implant capable of camera access, microphone recording, keylogging, SMS interception, and real-time location tracking. The builder's source code was leaked publicly in October 2022, causing an immediate surge in deployments. Since then, SpyNote has been repurposed beyond its original RAT functionality into a banking trojan with overlay attack capabilities, targeting financial institutions across Europe and beyond.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | July 2016 |
| Status | Active, large and growing sample count |
| Type | Remote Access Trojan (RAT), banking trojan (later variants) |
| Attribution | Original author unknown; CypherRat variant sold by a developer via Telegram before source leak |
| Aliases | SpyNote, SpyMax, CypherRat (commercial variant), SpyNote.C |
| Platform | Android |
Origin and Lineage¶
Palo Alto Networks' Unit 42 first documented SpyNote in July 2016 after the builder appeared on underground forums. The tool provided a Windows-based GUI application that generated customized Android APKs with embedded RAT functionality. At the time, it was comparable to DroidJack and OmniRat, other Android RAT builders.
SpyNote evolved through several versions:
| Version | Period | Key Change |
|---|---|---|
| SpyNote v1-v5 | 2016-2020 | Basic RAT, free distribution on forums |
| SpyNote v6 / CypherRat | 2021-2022 | Enhanced version sold via Telegram by a developer using cryptocurrency payments through Sellix. Added banking capabilities, accessibility abuse, and overlay attacks |
| SpyNote.C (post-leak) | October 2022-present | CypherRat source code leaked on GitHub after scamming incidents in hacking forums. Mass adoption by independent operators |
The October 2022 source code leak was the inflection point. ThreatFabric documented that after the leak, SpyNote sample counts increased dramatically as actors worldwide began compiling their own builds. The malware went from a niche RAT to one of the most commonly encountered Android threats.
Distribution¶
SpyNote payloads reach targets through multiple low-cost channels. There is no centralized Malware-as-a-Service operation: each operator handles their own distribution.
| Vector | Details |
|---|---|
| Smishing | SMS messages with links to fake app download pages. Messages typically impersonate banks, delivery services, or system updates |
| Phishing sites | Fake websites impersonating Google Play Store, banking apps, or popular applications |
| Trojanized APKs | SpyNote payloads bundled with or disguised as legitimate apps, distributed through third-party app stores and file-sharing sites |
| Social engineering | Manual distribution through social media, messaging apps, or targeted messages |
| Fake banking apps | Cleafy documented campaigns where SpyNote was distributed as fake banking apps from major European institutions |
Because the builder is free and requires no technical backend, the distribution channels are as varied as the operators. Some campaigns target specific banks in specific countries; others cast a wide net with generic lures.
Capabilities¶
Core RAT Functionality¶
SpyNote's base capabilities have remained consistent across versions:
| Capability | Implementation |
|---|---|
| Camera | Activate front and rear cameras for photo and video capture |
| Microphone | Record ambient audio, record phone calls |
| Keylogging | Capture keystrokes via accessibility service |
| SMS | Read, intercept, and send SMS messages (2FA bypass) |
| Call log | Exfiltrate call history |
| Contacts | Steal contact list |
| Location | Real-time GPS tracking |
| File manager | Browse, download, upload, and delete files on device storage |
| App management | Install, uninstall, and list applications |
| Screen capture | Record screen using MediaProjection API |
| Clipboard | Monitor and capture clipboard contents |
| Notifications | Intercept notifications via NotificationListenerService |
| Device info | Collect IMEI, model, OS version, network info, battery status |
| Remote shell | Execute commands on the device |
Banking Trojan Extensions (CypherRat / SpyNote.C)¶
ThreatFabric's analysis documented the banking capabilities added in the CypherRat variant:
| Capability | Implementation |
|---|---|
| Overlay attacks | Display fake login screens over targeted banking and cryptocurrency apps |
| 2FA interception | Intercept SMS OTPs and capture authenticator app codes via accessibility |
| Credential theft | Harvest credentials from overlay injects and keylogger data |
| Automated actions | Use accessibility to perform actions within banking apps on behalf of the attacker |
| Target list | Impersonates major financial institutions including HSBC, Deutsche Bank, Kotak Bank, Nubank, and others |
Targeted Applications¶
Cleafy documented SpyNote campaigns targeting:
| Category | Examples |
|---|---|
| Banking | HSBC, Deutsche Bank, Kotak Bank, Nubank, various European and Asian banks |
| Cryptocurrency | Wallet apps, exchange apps |
| Social media | WhatsApp, Facebook, Instagram |
| Gmail, Outlook | |
| Payment | Google Pay, PayPal |
Technical Details¶
Accessibility Service Abuse¶
SpyNote's core functionality depends on the Android Accessibility Service. On first launch, the implant aggressively prompts the user to grant accessibility access through repeated dialogs. Once granted, the accessibility service enables:
- Keylogging across all applications
- Auto-granting of additional permissions without user interaction
- Overlay injection for credential theft
- Prevention of uninstallation (intercepts attempts to open settings or uninstall the app)
- Automatic re-enabling of accessibility if the user disables it
Persistence and Anti-Removal¶
SpyNote implements aggressive persistence techniques:
| Technique | Implementation |
|---|---|
| Die-hard services | Two background services (documented by F-Secure as "die-hard services") that monitor each other and restart if killed |
| Anti-uninstall | Accessibility service intercepts taps on uninstall dialogs and closes them, or navigates back to home screen |
| Boot persistence | RECEIVE_BOOT_COMPLETED receiver restarts services after reboot |
| Battery optimization bypass | Requests exemption from battery optimization to prevent the OS from killing background services |
| Notification hiding | Hides its notification or disguises it as a system notification |
Removing SpyNote from an infected device often requires booting into safe mode or using ADB, because the accessibility service actively prevents normal uninstallation.
C2 Communication¶
SpyNote uses a custom TCP-based protocol to communicate with the operator's C2 server:
- Connection over raw TCP socket (default ports vary by build)
- Data serialized and transmitted in a custom binary format
- Operator uses the SpyNote desktop client (Windows) to view connected devices, issue commands, and receive data
- No relay infrastructure or proxy chains: the implant connects directly to the operator's server, making C2 infrastructure easy to identify but also trivially replaceable
Anti-Analysis¶
| Technique | Implementation |
|---|---|
| Class name obfuscation | All class names obfuscated in compiled builds |
| Junk code | Dead code paths inserted to slow static analysis |
| Anti-emulator | Checks for emulator properties (build strings, hardware characteristics, SIM state) and avoids execution in analysis environments |
| String encryption | Critical strings encrypted at compile time, decrypted at runtime |
The obfuscation is moderate compared to commercial spyware like FinSpy. Most samples are analyzable with standard Android reverse engineering tools (jadx, Frida, APKTool) with moderate effort.
Builder Architecture¶
The SpyNote builder is a Windows desktop application that generates Android APKs. The operator specifies:
- C2 server address and port
- App name, icon, and package name (for disguising the payload)
- Which permissions and capabilities to enable
- Whether to bind the payload to a legitimate APK
The builder does not require Android development knowledge. The operator fills in configuration fields and clicks "Build," producing a ready-to-deploy APK.
Known Deployments and Targets¶
Unlike commercial spyware with a defined client list, SpyNote is used by thousands of independent operators worldwide. Documented campaigns include:
| Campaign/Context | Targets | Period | Source |
|---|---|---|---|
| European banking campaign | Customers of major European banks (HSBC, Deutsche Bank) | 2022-2023 | ThreatFabric |
| Italian banking targets | Italian financial institutions | 2023 | Cleafy |
| Cryptocurrency theft | Crypto wallet users | 2021-present | Fortinet |
| Generic RAT operations | Individual targets (stalkerware, personal surveillance) | 2016-present | Various |
| Natural disaster lures | Users in regions affected by earthquakes and eruptions (social engineering) | 2023 | BleepingComputer |
The majority of SpyNote deployments are never publicly reported. The free availability of the builder means it is used for everything from state-level operations in low-capability countries to individual stalkerware cases.
Notable Campaigns and Discoveries¶
July 2016: Palo Alto Networks' Unit 42 publishes the first analysis of SpyNote after the builder leaks on underground forums. They note its similarity to DroidJack and OmniRat, warning that active attacks are likely imminent.
2020-2021: SpyNote v6 evolves into CypherRat, sold through Telegram channels using cryptocurrency. The developer adds banking trojan features including overlay attacks and accessibility-based credential theft.
October 2022: CypherRat source code is leaked on GitHub after scamming incidents between the developer and buyers on underground forums. The leak triggers a massive increase in SpyNote deployments worldwide.
January 2023: ThreatFabric publishes "SpyNote: Spyware with RAT capabilities targeting Financial Institutions", documenting the evolution from simple RAT to banking trojan and the impact of the source code leak on the threat landscape.
2023: Cleafy documents ongoing SpyNote campaigns targeting European financial institutions with increasingly sophisticated social engineering, including fake SMS messages directing users to install "new certified banking apps."
2023: SpyNote is distributed through fake volcano eruption alerts and earthquake warnings, exploiting natural disaster fears for social engineering.
2023-present: F-Secure documents SpyNote's die-hard service architecture, detailing the anti-removal mechanisms that make the malware difficult to uninstall without ADB or safe mode access. SpyNote continues to rank among the most commonly detected Android RATs worldwide.
September 2024, Gigabud infrastructure connection: Zimperium zLabs revealed that Gigabud (a banking credential stealer) and SpyNote share distribution infrastructure, suggesting coordination by a single threat actor group. The investigation identified 79 phishing sites, 11 C2 servers, and targeting of 50+ financial apps (40+ banks, 10 crypto platforms). Both families were protected by Virbox packer. This infrastructure overlap indicates SpyNote is being deployed alongside specialized banking credential stealers in coordinated campaigns rather than operating purely as a standalone RAT.