Endpoint Security,
Fraud Management & Cybercrime,
Social Engineering
Malware Disguised as Avast Antivirus Detected
The Android SpyNote malware is utilizing a deceptive tactic by posing as an antivirus application to exploit Android systems, with the intent of infiltrating devices, taking control, and extracting sensitive user information. This newly identified threat demonstrates the continuous evolution of malware tactics targeting unsuspecting individuals.
According to a report from Cyfirma, the SpyNote malware has been observed masquerading as “Avast Mobile Security” in its latest deployment. Upon installation, the malware requests permissions commonly associated with legitimate antivirus software, such as accessing Accessibility Services, which enables it to silently accrue additional permissions bypassing standard user restrictions.
Notably, SpyNote excludes itself from battery optimization measures, ensuring uninterrupted operation while remaining undetected. The malware can simulate user gestures to maintain its presence on the device and can deliver misleading system notifications that direct users back to the malware, creating a fortified barrier against detection and uninstallation efforts.
SpyNote specifically targets cryptocurrency accounts, aiming to siphon private keys and balance information for prominent assets like Bitcoin, Ethereum, and Tether. The malware also monitors network traffic to maintain an online connection, which facilitates communication with command-and-control servers, heightening its data exfiltration capabilities.
The data harvesting reach of SpyNote includes capturing and storing user credentials on the device’s SD card, which it later overwrites to eliminate traces of its activity. The sophisticated obfuscation techniques employed by SpyNote complicate detection efforts by cybersecurity tools. Using code obfuscation strategies and custom packaging, the malware effectively conceals its operational components, thwarting reverse engineering attempts and avoiding detection.
Moreover, SpyNote proves resistant to uninstallation attempts by monitoring system settings and blocking removal efforts through simulated user interactions. It leverages accessibility services to react dynamically, ensuring users cannot disable or remove the application via standard device settings. When users attempt to access the app’s settings, SpyNote automatically redirects them back to the home screen, further consolidating its presence.
Distribution of the SpyNote malware occurs through phishing websites that replicate the legitimate Avast antivirus download page, offering APKs named Avastavv.apk for direct download onto Android devices. For iOS users, these malicious links redirect them to the official App Store page for AnyDesk Remote Desktop, while the phishing sites also provide AnyDesk downloads for Windows and Mac computers, broadening the malware’s reach.
