Researchers have reported a rapid spread of a new variant of the SpyNote Android virus.

One piece of Android malware, known as SpyNote (or SpyMax), had its most recent iteration, CypherRat, disseminated for a payment using encrypted Telegram channels. Remote access, GPS monitoring, and updates on the device’s status and activities were just some of the functions the programme provided, but it could also steal your banking app credentials.

This sudden increase has been blamed by experts on the free availability of the malware on GitHub, where it has been downloaded by a large number of threat actors who are using it to attack financial institutions like HSBC and Deutsche Bank and to distribute malicious versions of WhatsApp, Facebook, and other popular apps in the Google Play Store.

Increasing danger

From August 2021 until October 2022, it was speculated that the malware’s original writers were selling it. However, after a series of scam occurrences in which fraudsters impersonated the project and sold fake programmes, the genuine authors released the malware’s source code on GitHub.

There was likely a rise in infections when other threat actors took up the source code. ThreatFabric analysts have been monitoring CypherRat and they predict that the number of infections will continue to rise in the following weeks and months.

ThreatFabric has revealed that in addition to the aforementioned capabilities, CypherRat can also steal Facebook and Google account passwords, extract Google Authenticator codes, keylog, and use the camera API to capture and transfer videos from compromised endpoints.

Giving SpyNote permission to use the Android Accessibility Service, the gold standard for determining whether or not an app is malicious, is necessary for it to function.

Though the researchers have not yet confirmed it, it is probable that CypherRat is being disseminated via phishing domains and unofficial Android app stores.