A new mobile spyware campaign tied to the notorious SpyMax/SpyNote malware family has been discovered targeting Chinese-speaking users in mainland China and Hong Kong. Posing as an official application from the Chinese Prosecutor’s Office, this advanced malware is distributed through fake third-party app stores. Once installed, it silently takes control of Android devices, enabling extensive surveillance capabilities.
Unlike conventional malware, this variant goes far beyond passive data collection. It uses Android’s accessibility services and social engineering to gain elevated privileges, allowing it to track users in real-time, activate microphones and cameras, and steal personal data—all while evading detection.
A Sophisticated Disguise
The fake application is presented with a user interface that closely mimics the official look and feel of a government-issued mobile app. This design, combined with detailed animation and realistic visual elements, makes it almost indistinguishable from the real thing. The goal is to trick users into believing they are downloading a legitimate tool from a trusted institution.
The attackers also embedded a fabricated Android accessibility settings page that appears when permissions are requested. This page is not part of the operating system—it’s an HTML replica designed to mislead users into enabling features that allow full system access. Once granted, the malware operates silently in the background, giving attackers unrestricted access to the device.
Technical Profile of the Spyware
The application, distributed under the name “检察院” (Prosecutor’s Office), was flagged by security researchers on April 4, 2025. The identified APK has the MD5 hash cc7f1343574f915318148cde93a6dfbc. Its architecture is modular, meaning it includes separate components that handle specific tasks—from collecting information to managing remote commands and executing dynamic behavior based on the state of the device.
Key technical features include:
- Command execution via Android’s Runtime APIs
- Remote control of the camera and microphone, even when the screen is off
- Real-time GPS tracking and location reporting
- Data exfiltration over encrypted HTTPS connections
- Activation of certain functions depending on screen status, battery level, or network activity
- Automatic encryption and deletion of stolen data after transmission
Dangerous Permissions and Capabilities
This spyware variant requests a wide range of Android system permissions, many of which are normally reserved for trusted system-level apps. These permissions allow it to:
- Read and send SMS messages
- Access call logs and contact information
- Monitor device location through GPS
- Install new applications silently without user notification
- Modify screen overlays to launch phishing attacks or spoof application interfaces
- Activate and record from the camera and microphone
- Access network and system diagnostics for adaptive behavior
This broad set of permissions allows for a near-complete compromise of the affected device. It opens the door to financial fraud, such as unauthorized payments or subscriptions to premium services, as well as long-term surveillance of users’ movements and communications.
Indicators of Compromise
To support the detection of this threat, security researchers developed a YARA rule to scan for associated patterns and behavior. The command-and-control infrastructure includes a primary server located at the IP address 165.154.110.64. This server receives encrypted data from infected devices and transmits commands for further activity.
Additional indicators of compromise (IOCs) include:
- Consistent ICMP ping requests used to test connectivity
- Encrypted data traffic over HTTPS channels to untrusted endpoints
- Suspicious file storage paths hidden within the app’s directory
- Unusual app component names and obfuscation patterns designed to evade detection
Espionage or Cybercrime?
The level of sophistication and targeting observed in this campaign suggests more than just petty cybercrime. By mimicking official government tools and focusing on Chinese-speaking users, this spyware variant aligns closely with politically motivated cyber espionage. While attribution remains speculative, the operational complexity and long-term surveillance capabilities raise questions about whether this is part of a larger state-sponsored initiative.
Mobile surveillance tools like this demonstrate how attackers are taking advantage of both Android’s openness and users’ trust in official-looking applications. These campaigns represent a shift from traditional malware tactics to a more strategic use of social engineering and technical subversion.
Security Recommendations
To mitigate the risks posed by advanced mobile threats like this one, security experts recommend the following best practices:
For Organizations:
- Implement strict Mobile Device Management (MDM) policies to monitor and control app installations.
- Block known malicious IPs and domains, including the indicators identified in this campaign.
- Conduct regular training sessions for staff on mobile phishing, fake applications, and permission abuse.
- Monitor mobile traffic for signs of background anomalies and suspicious communication patterns.
- Segment mobile devices from sensitive parts of the network to limit exposure.
For Individual Users:
- Only install applications from trusted sources such as the official Google Play Store.
- Pay close attention to the permissions an app requests during installation.
- Regularly update the Android operating system and security patches.
- Use reputable mobile security software with real-time threat detection.
- Avoid enabling accessibility services unless absolutely necessary and only for known apps.
A Broader Security Wake-Up Call
The emergence of this SpyMax variant is a clear signal that mobile devices have become prime targets for surveillance campaigns. The integration of technical exploitation and realistic deception creates a new type of threat—one that is harder to detect, more invasive, and highly effective in bypassing security barriers.
This case is not an isolated incident. It reflects a broader trend of cyber actors leveraging mobile platforms not just for quick data theft, but for continuous monitoring and control. As smartphones increasingly become the center of personal and professional life, attackers will continue to innovate ways to breach them.
Organizations and users alike must adapt. Cyber hygiene is no longer optional. Mobile threat awareness, proactive defense strategies, and careful scrutiny of app behavior are essential tools in defending against this new generation of mobile espionage.
Comments 0