Hackers Using WhatsApp to Spread Android Malware and Steal Data

A malicious Android sample, likely created by an unknown threat actor using Spynote, was discovered targeting high-value assets in Southern Asia. The specific target and region remain undisclosed, but the nature of the target suggests potential involvement of advanced persistent threat (APT) groups. 

An unknown threat actor attempted a targeted attack on high-value individuals in Southern Asia by delivering obfuscated Android payloads via WhatsApp, as the payloads were designed to operate stealthily in the background, potentially compromising sensitive information. 

Researchers discovered a malicious Android payload requesting excessive permissions, including location tracking, contact access, camera control, SMS reading, and storage manipulation, indicating potential for data theft and device monitoring. 

It enables an attacker to gain access to sensitive information by monitoring incoming and outgoing calls on an Android device, which is achieved by interacting with the device’s file system, allowing the attacker to explore and extract data. 

The code snippet reveals that the app attempts to gain unauthorized access to the device’s accessibility settings, enabling the attacker to monitor user activity, capture sensitive information, and potentially prevent the victim from removing the malicious app.

It extracts sensitive device information, including the unique identifier (IMEI), SIM card details, Android version, network connectivity type, and subscriber identity module (IMSI) number, which can be used to pinpoint the device’s exact location and potentially compromise user privacy.

SpyNote and its variants (SpyMax, Crax RAT, and Eagle Spy) are sophisticated Android RATs used by various threat actors for malicious activities like espionage, financial fraud, and targeted attacks, evolving over time to enhance their capabilities and bypass security measures.

APT groups like OilRig, APT-C-37, and OilAlpha have employed SpyNote, which is a malicious tool targeting Android devices, to compromise critical sectors by stealing sensitive data and capable of persistent surveillance and data theft, which poses a significant threat and could be exploited by other malicious actors. 

According to Cyfirma, an unidentified threat actor likely targeted high-value individuals in Southern Asia using the publicly available SpyNote malware, demonstrating a preference for this tool in persistent attacks against high-profile targets.

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here