Monday, May 5, 2025
HomeAndroidHackers Target Android Users via WhatsApp to Steal Sensitive Data

Hackers Target Android Users via WhatsApp to Steal Sensitive Data

Published on

SIEM as a Service

Follow Us on Google News

Researchers analyzed a malicious Android sample created using Spynote RAT, targeting high-value assets in Southern Asia, which, likely deployed by an unknown threat actor, aims to compromise sensitive information. 

Although the target’s precise location and nature have not been disclosed, its high-value nature suggests that advanced persistent threat (APT) groups may be interested in it. 

The app was in the menu after the installation was over

A targeted Android attack was launched against high-value individuals in southern Asia as the threat actor attempted a less-than-ideal delivery method via WhatsApp, deploying four obfuscated payloads with similar names.

- Advertisement - Google News

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

These payloads, once installed, quickly concealed themselves and operated silently in the background, communicating with a common C&C server, where the attacker’s intent was likely to compromise the victim’s device and potentially exfiltrate sensitive data.

Analysis of the decompiled payload reveals malicious functionalities. The AndroidManifest file requests permissions for accessing precise location (ACCESS_FINE_LOCATION), reading contacts (READ_CONTACTS), camera (CAMERA), SMS (READ_SMS), and external storage (WRITE_EXTERNAL_STORAGE). 

Module to monitor call activity

These permissions allow the attacker to track the user’s location, steal contacts, potentially take pictures or videos, intercept SMS messages, and potentially exfiltrate data from the device’s storage. 

It also demonstrates the app’s ability to interact with the file system, monitor phone calls, and retrieve the user’s precise location, which suggests the payload is designed for comprehensive data collection and espionage. 

The malicious code attempts to gain unauthorized access to sensitive device information by exploiting the device’s accessibility settings to monitor user activity, potentially capturing screen content and keystrokes. 

According to Cyfirma, it also extracts critical device details like the IMEI number, SIM information, Android version, network type, and IMSI, compromising the user’s privacy and security.

Module that exploits accessibility

SpyNote, a sophisticated Remote Administration Tool (RAT), has been exploited by various threat actors, including APT groups like OilRig, APT-C-37, and OilAlpha, which have leveraged SpyNote to target critical sectors and individuals, compromising Android devices to steal data and maintain persistent access. 

The tool’s versatility and adaptability have made it a preferred choice for malicious actors, highlighting the evolving threat landscape and the need for robust security measures to counter such attacks. 

A high-value target in Southern Asia was attacked by an unidentified threat actor or an unknown APT group, where the attack employed the publicly available SpyNote malware, demonstrating the threat actor’s preference for this tool in targeting high-profile individuals.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range...

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting...

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the...

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool...