Spyware is being spread via fake natural disaster alerts

Malware is being spread to Android devices via fake volcano eruption alerts, cyber security researchers have found. 

Researchers at Italian cyber security company, D3Labs, published a blog about the malicious software on October 16. They discovered that malicious actors were exploiting the IT-Alert service, a new public alert system used by the Italian government to disseminate crucial information to its citizens in emergency situations, for example natural disasters. 

In order to convince unsuspecting victims into downloading the malicious software, the malicious actors created a website posing as IT Alert that read “due to the possible eruptions of a volcano, a national earthquake could occur. Download the app to keep an eye on whether the region could be affected”. This fake website was directed only at Android users, with the website redirecting to the actual IT Alert website if accessed via a desktop browser or an iOS device. 

Source: D3Labs

Once a victim clicked on the download button, a file labelled IT-Alert.apk was downloaded to their device. This file contains SpyNote malware. This malware is primarily used to target financial institutions and is usually sold via Telegram by its creator who uses the alias CypherRat.

By prompting the user to allow the app to run in the background, malicious actors are able to gain full control of the victim’s smartphone via its accessability services. This allows the malicious actors to “monitor, manage and modify the resources and features of the device along with remote access capabilities”. This technique also makes it more difficult for victims to “uninstall the application, update already uninstalled applications or install new ones”.  

Source: D3Labs

SpyNote can also independently use buttons within apps, access the device’s camera, extract personal information from the device and send this information along with pictures and videos from the infected device to its command-and-control center. This allows the malicious actors to spy on the user.

Malicious actors are also able to obtain codes used for two-factor authentication (2FA) and steal login credentials for both banking applications and social media. This is done by launching a fake application that looks like a legitimate service and prompting victims to input their login credentials.

A spokesperson for Google, operator of the official app store for Android devices, Google Play, told BleepingComputer that “no apps containing [SpyNote] are found on Google Play”.  

The spokesperson also said that: “Google implemented user protections for this spyware ahead of this report’s publication. Users are protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services.”