Spynote malware internals

Static and Dynamic Analysis.

Analysis of “PDF Reader Upgrade” App

Static Analysis:-

Hash’s:

Information About App:

info. of App.

Certificate Info:

Certificate is signed with the v1 signature schema which makes it vulnerable to Janus vulnerability.

App Permissions:

In image we can see app has access to many malicious permissions.

Obfuscation and Anti-VM Code:

Code Analysis:

App logs into the sensitive information of user which should never be logged.It also has ability to read and write into the external storage.

Activites

Services:

Android API used:

These are API’s used by this malicious app.

Dynamic Analysis:-

Running app dynamically on emulator [ android VM ] . App for sometime the App crashes.

screenshot of running app dynamically in emulator.

Domains:

Urls:

Emails:

C2 server:-

3[.]13[.]191[.]225

Communicating Files with C2:-

Yara Signature:

Yara Signature for SpyNote Detection.

Conclusion

Spynote malware is been active recently on Google Play Store with the signed valid signatures which makes its harder to detect and millions of such apps are being available with such similar configurations.

That’s all for today.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store