Spynote malware internals

Static and Dynamic Analysis.

Analysis of “PDF Reader Upgrade” App

Static Analysis:-


Information About App:

info. of App.

Certificate Info:

Certificate is signed with the v1 signature schema which makes it vulnerable to Janus vulnerability.

App Permissions:

In image we can see app has access to many malicious permissions.

Obfuscation and Anti-VM Code:

Code Analysis:

App logs into the sensitive information of user which should never be logged.It also has ability to read and write into the external storage.



Android API used:

These are API’s used by this malicious app.

Dynamic Analysis:-

Running app dynamically on emulator [ android VM ] . App for sometime the App crashes.

screenshot of running app dynamically in emulator.




C2 server:-


Communicating Files with C2:-

Yara Signature:

Yara Signature for SpyNote Detection.


Spynote malware is been active recently on Google Play Store with the signed valid signatures which makes its harder to detect and millions of such apps are being available with such similar configurations.

That’s all for today.