Researchers have examined how a sneaky but highly effective malware operates on Android.
After thoroughly examining the Android Trojan SpyNote, researchers from the information security firm F-Secure found that it has a wide range of capabilities for gathering sensitive data.
SpyNote is typically spread via smishing campaigns, in which attackers persuade victims to click on a link in an SMS and install the program. SpyNote asks for access to your call history, camera, SMS, and external storage during installation and cleverly hides its footprints on the Android start screen and recent tasks screen to avoid detection.
The researchers claimed that an external trigger could be used to activate the SpyNote malware. When the malicious application receives the signal, the main activity starts.
SpyNote is noteworthy because it requests permissions and then uses those permissions to automatically grant itself additional rights to record audio and phone calls, log keystrokes, and take screenshots using the MediaProjection API.
The presence of so-called "diehard" services, which shield the application from attempts to shut it down by the victim or the operating system, was discovered after a more thorough analysis of the malware.
By registering a Broadcast Receiver, which restarts the malware when it tries to be terminated, the SpyNote Trojan ensures its persistence. Furthermore, the use of the API causes the settings menu to be closed automatically when a user tries to uninstall a malicious application through it. The only way to fix the issue is to factory reset the device, erasing all data on it in the process.