Endpoint Security
,
Fraud Management & Cybercrime
,
Social Engineering
Malware Spotted Masquerading as Avast Antivirus
Android Spynote malware is masquerading as antivirus software to exploit Android processes to infiltrate devices, seize control and steal sensitive information from unsuspecting users.
See Also: OnDemand Webinar | Hacking Biometrics: If You Thought Your Fingerprints Were Safe, Think Again!
A report from Cyfirma shows the malware disguising itself as “Avast Mobile Security” in a recent campaign.
After installation, it requests permissions typically associated with antivirus apps, such as Accessibility Services. The malware uses this access to silently grant itself additional permissions, circumventing user restrictions. It further excludes itself from battery optimization, enabling continuous operation without alerting users. It also simulates user gestures to maintain persistence on the device. It displays misleading system update notifications that, when tapped, direct users back to the malware app, creating a deceptive loop to prevent detection and uninstallation.
It targets cryptocurrency accounts, aiming to extract private keys and balance information, particularly for popular assets like Bitcoin, Ethereum and Tether. SpyNote also monitors network traffic to ensure an active internet connection, which it uses to communicate with its command-and-control servers.
SpyNote’s data harvesting capabilities extend to capturing credentials and storing them on the device SD card. After collecting sufficient data, the malware writes over the card, removing traces of its activity.
The malware’s obfuscation and evasion capabilities make it a challenging target for security tools. By employing code obfuscation and custom packages, SpyNote conceals its components, disguising its true nature to evade reverse engineering and detection. It also detects virtual environments, allowing it to avoid analysis environments like emulators or virtual machines used by researchers.
SpyNote resists uninstallation by monitoring system settings for removal attempts and blocking them through simulated user interactions. It hijacks accessibility services to simulate user inputs, preventing attempts to disable or remove the app from device settings. When users try to access the malware’s app settings or permissions, it automatically navigates back to the device’s home screen, ensuring its continued presence.
SpyNote is distributed through phishing sites mimicking the legitimate Avast antivirus download page. These sites host APKs named Avastavv.apk
which users can download directly onto their Android devices. For iOS users, clicking on the download link redirects them to the legitimate App Store download page for AnyDesk Remote Desktop. The phishing sites also offer AnyDesk downloads for Windows and Mac desktops, further expanding the campaign’s reach.