Hackers Use SMS Alerts to Install SpyNote Malware

Reports indicate that a Smishing campaign was conducted against Japanese Android users under the name of a Japanese Power and Water Infrastructure company. The SMS contains a link to lure victims into a phishing site.

Once the victims click on the link, mobile malware is downloaded, which was discovered to be the SpyNote malware.

The SMS alerts the users about payment problems in the water or power infrastructure to create a sense of urgency and push them to act swiftly.

Smishing Campaign

The smishing campaigns have a different context for users, including suspension of power transmission due to non-payment and suspension notice of water supply due to non-payment.

Suspension notice of Power Transmission (Source: twiiter.com/@Tobilasystems)
Suspension of Water Supply (Source: twiiter.com/@Tobilasystems)

Victims who visit these malicious URLs are prompted to install the SpyNote malware.

SpyNote Malware

The source code of SpyNote was leaked in October 2022, after which it spread wide across cybercriminals and is being used for malicious purposes. SpyNote is capable of exploiting accessibility services and device administrator privileges.

It can also steal device location, contacts, SMS messages, and phone calls. Once the malware is installed, it appears with a legitimate app icon to look real.

When the victims open the application, it prompts them to enable the Accessibility feature.

If the victim grants permission, the application disables battery optimization, which allows it to run in the background, and also grants unknown source installation permission for installing another malware without the user’s knowledge or consent, read the McAfee blog post.

This malware was previously found to be attacking the Bank of Japan in April, in which the malware was distributed in a different method.

Threat actors keep up-to-date information about companies with legitimate reasons to contact their customers.

Indicators of Compromise

Command and Control Server

  • 104.233[.]210.35:27772

Malware Samples

SHA256 Hash
075909870a3d16a194e084fbe7a98d2da07c8317fcbfe1f25e5478e585be1954
e2c7d2acb56be38c19980e6e2c91b00a958c93adb37cb19d65400d9912e6333f
a532c43202c98f6b37489fb019ebe166ad5f32de5e9b395b3fc41404bf60d734
cb9e6522755fbf618c57ebb11d88160fb5aeb9ae96c846ed10d6213cdd8a4f5d
59cdbe8e4d265d7e3f4deec3cf69039143b27c1b594dbe3f0473a1b7f7ade9a6
8d6e1f448ae3e00c06983471ee26e16f6ab357ee6467b7dce2454fb0814a34d2
5bdbd8895b9adf39aa8bead0e3587cc786e375ecd2e1519ad5291147a8ca00b6
a6f9fa36701be31597ad10e1cec51ebf855644b090ed42ed57316c2f0b57ea3c
f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422
755585571f47cd71df72af0fad880db5a4d443dacd5ace9cc6ed7a931cb9c21d
2352887e3fc1e9070850115243fad85c6f1b367d9e645ad8fc7ba28192d6fb85
90edb28b349db35d32c0190433d3b82949b45e0b1d7f7288c08e56ede81615ba
513dbe3ff2b4e8caf3a8040f3412620a3627c74a7a79cce7d9fab5e3d08b447b
f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422
0fd87da37712e31d39781456c9c1fef48566eee3f616fbcb57a81deb5c66cbc1
acd36f7e896e3e3806114d397240bd7431fcef9d7f0b268a4e889161e51d802b
91e2f316871704ad7ef1ec74c84e3e4e41f557269453351771223496d5de594e

Smishing is one of the social engineering attacks used by threat actors to attack individuals who use SMS for communication. Users of mobile devices are recommended to keep an eye out for these kinds of Smishing campaigns and be vigilant.

Stay up-to-date with the latest Cyber Security News; follow us on GoogleNewsLinkedinTwitterand Facebook.

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…

12 hours ago

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

15 hours ago

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…

15 hours ago

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…

15 hours ago

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…

17 hours ago

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…

19 hours ago