F-Secure Researcher Exposes SpyNote Android Spyware

Estimated read time 3 min read

Android platforms are increasingly targeted by a myriad of malware types. Spyware, in particular, has been wreaking havoc by surreptitiously collecting user data.

A recent in-depth analysis by F-Secure has shed light on a particularly menacing spyware called SpyNote.

In this report, we delve into the ins and outs of SpyNote, exploring its features, capabilities, and mechanisms for evading detection, all based on F-Secure’s comprehensive research1.

The Intricacies of SpyNote: An Introduction

SpyNote is a spyware application that leverages smishing—malicious SMS messages—to infiltrate victims’ devices. Circumventing Google Play Store’s security measures, the spyware is identified by its SHA-256 hash: bad77dca600dc7569db4de97806a66fa969b55b77c24e3a7eb2c49e009c1f216.

AndroidManifest File: The First Red Flags

F-Secure’s analysis kicked off with a detailed examination of the AndroidManifest.xml file. The permissions requested by SpyNote raised immediate concerns, including READ_SMS, PROCESS_OUTGOING_CALLS, CAMERA, RECORD_AUDIO, and others. Though not inherently malicious, these permissions are commonly sought by spyware.

Spynote Malware - Picture by F-secure
Spynote Malware – Picture by F-secure

Stealth Tactics: How SpyNote Remains Hidden

After installation, SpyNote is conspicuously missing from the app launcher, hiding in plain sight to avoid detection. F-Secure identified two primary techniques for this cloaking mechanism:

  • Utilization of setComponentEnabledSetting to dynamically hide the app.
  • Omission of the CATEGORY_LAUNCHER in its AndroidManifest.xml file.

Relentless Operations: The Diehard Services

SpyNote employs what F-Secure describes as “diehard services,” making it exceptionally difficult to terminate its activities. These services are implemented in obfuscated classes and are designed to restart themselves whenever they are shut down, thanks to a unique broadcast receiver named “RestartSensor.”

Command and Control (C2) Communication

SpyNote establishes immediate communication with a C2 server as part of its service initialization. F-Secure’s analysis indicates that the C2 IP and port are Base64 encoded, setting the stage for data exfiltration.

Spynote C2 communication - Picture by F-secure
Spynote C2 communication – Picture by F-secure

Advanced Spying Features

  • Phone Call Recording: SpyNote takes the audacity to another level by recording incoming phone calls and sending the recordings to its C2 server.
  • Screenshot Capturing: Using MediaProjection API, the spyware captures screen images and sends them to the C2 server.

Logging and Data Exfiltration

SpyNote is engineered to log a wide array of user activities, from keystrokes to screen movements. These logs are then sent back to the C2 server, making it a potent tool for data theft.

A Nightmare to Remove

Uninstalling SpyNote is a Herculean task. The spyware thwarts attempts to remove it from the ‘Settings -> Apps’ menu by automatically closing the screen, thanks to the BIND_ACCESSIBILITY_SERVICE permission2 it holds.


SpyNote is an epitome of how spyware continues to evolve in complexity and stealth. F-Secure’s thorough analysis provides invaluable insights into its mechanisms, serving as a grim reminder of the ever-escalating threats in the Android ecosystem.

It’s critical for users to stay vigilant and for cybersecurity mechanisms to evolve rapidly to counter such sophisticated threats.

  1. https://blog.f-secure.com/take-a-note-of-spynote/ ↩︎
  2. https://developer.android.com/reference/android/accessibilityservice/AccessibilityService ↩︎
Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author

+ There are no comments

Add yours