Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Spynote

137
Global rank
99
Month rank
116 infographic chevron week
Week rank
0
IOCs

SpyNote, also known as SpyMax and CypherRat, is a powerful Android malware family designed primarily for surveillance and data theft, often categorized as a Remote Access Trojan (RAT). Originally emerged in 2016, SpyNote has evolved significantly, with new variants continuing to appear as recently as 2023–2025.

RAT
Type
Unknown
Origin
1 June, 2016
First seen
30 September, 2025
Last seen
Also known as
SpyMax
CypherRat

How to analyze Spynote with ANY.RUN

RAT
Type
Unknown
Origin
1 June, 2016
First seen
30 September, 2025
Last seen

IOCs

Domains
ftwa.islam.online
Last Seen at

Recent blog posts

post image
Release Notes: Palo Alto Networks, Microsoft,...
watchers 1223
comments 0
post image
FunkSec’s FunkLocker: How AI Is Powering the...
watchers 2907
comments 0
post image
ANY.RUN & MS Defender: Enrich Alerts Faster,...
watchers 2883
comments 0

What is SpyNote malware?

SpyNote (aka SpyMax and CypherRat) is a Remote Access Trojan (RAT) designed for Android devices. It evades detection while maintaining persistent access and provides attackers with extensive control over infected devices, enabling:

  • Keylogging
  • Screen recording & screenshots
  • Call & SMS interception
  • Microphone & camera activation
  • File theft & remote execution
  • GPS tracking
  • App manipulation (uninstalling security apps).

SpyNote primarily spreads through social engineering tactics, exploiting user trust to install the malware on Android devices. Its infiltration methods include phishing and smishing campaigns when users receive malicious emails and text messages posing as legitimate communications from banks, service providers, or trusted entities, urging users to download fake apps or updates. For example, campaigns have mimicked Italian government alerts or antivirus software. Other examples included SpyNote posing as critical services, such as power or water suppliers, to create urgency and prompt immediate installation.

Targeted attacks, especially against high-value individuals in South Asia, have used WhatsApp to deliver SpyNote payloads disguised as legitimate files. This malware has been hosted on deceptive websites mimicking legitimate platforms, such as Google Play Store pages or antivirus software sites (e.g., fake Avast Mobile Security)

SpyNote has been caught impersonating trusted applications, such as banking apps (e.g., HSBC, Deutsche Bank), system updates, productivity tools, and games. This trojan is frequently distributed through unofficial app stores or sideloaded APKs, bypassing Google Play’s security checks.

Read about Salvador Stealer, another Android threat abusing mobile banking

Once installed, SpyNote requests permissions, particularly Accessibility Services, which it abuses to grant itself additional permissions without user intervention, ensuring deep access to the device.

Besides exfiltrating sensitive data (SMS messages, call logs, contacts, GPS location, files, photos, credentials), SpyNote captures keystrokes and screenshots and activates the microphone and camera to record audio, phone calls, or videos. It allows attackers to initiate transactions and execute arbitrary commands. It can also install additional apps or malware, update itself, or uninstall apps to maintain persistence.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

SpyNote RAT’s Prominent Features

SpyNote is especially notable and dangerous due to its versatility and targeting of sensitive data and sectors:

  • Financial Sector: Targets banking apps (e.g., HSBC, Deutsche Bank, Bank of America) to steal credentials, perform on-device fraud, or bypass 2FA, leading to financial losses. Recent variants focus on cryptocurrency wallets, enabling unauthorized transfers.
  • Critical Infrastructure and Services: Poses as essential service providers (e.g., power, water, or emergency alerts) to exploit user urgency, potentially disrupting trust in legitimate services.
  • High-Value Targets: Used by APT groups to spy on government agencies, NGOs, media organizations, and activists, particularly in South Asia. Campaigns have targeted Indian defense personnel and other high-profile individuals.
  • Widespread Accessibility: Source code leaks (e.g., CypherRat in October 2022) have made SpyNote widely available on darknet forums and Telegram, enabling independent actors and organized groups to deploy custom variants. Variants like SpyNote.A, SpyNote.B, SpyNote.C, SpyMax, Crax RAT, and Eagle Spy continue to evolve with enhanced capabilities.
  • Persistence: Its ability to resist uninstallation and survive reboots makes it a long-term threat, often requiring a factory reset, which results in data loss.

SpyNote’s Execution Process and Technical Details

ANY.RUN’s Interactive Sandbox supports the analysis of APK files and enables the research of Android malware, so we can watch SpyNote in action after detonating its APK disguised as an app of the Spanish BBVA Bank in the safe VM environment.

View the analysis session

SpyNote’s execution chain starts with deceptive distribution. Operators clone Google Play pages or send SMS phishing links that claim you need a popular app update or mobile‑banking tool. Tapping the “Install” or “Download” button triggers a short JavaScript snippet that silently drops a tampered APK — often branded with a convincing name and icon like “BBVA Prime” in our case — onto the device.

SpyNote malware analysis in ANY.RUN A sample of SpyNote detonated inside ANY.RUN's Interactive Sandbox

When the user opens the app, SpyNote asks for permissions such as Accessibility Service access. Granting that single request is enough: using Accessibility, the malware auto‑clicks its way through every subsequent dialogue to secure dangerous privileges — including reading and sending SMS, recording audio, taking photos, accessing contacts, call logs, and external storage — without showing more pop‑ups.

To avoid discovery, SpyNote immediately hides its icon from the launcher and recent‑apps screen. The implant can then be awakened by several triggers: receipt of certain SMS commands, an outgoing phone call, a visit to a specific URL, or an auxiliary “launcher” dropper that sends an explicit intent. Once active, it establishes an encrypted channel to hard‑coded command‑and‑control servers for tasking and data exfiltration.

Capabilities are extensive: intercepting and forwarding 2FA codes, logging keystrokes, capturing screenshots, recording calls, activating the microphone and both cameras, tracking GPS, and silently downloading further payloads. If the victim opens Settings or long‑presses the app in an attempt to uninstall, SpyNote leverages the same Accessibility control to close those windows or quickly restart its own service, making removal nearly impossible without booting into safe mode or using ADB.

Finally, the authors layer heavy code obfuscation, dynamic string encryption, and anti‑emulator checks to frustrate static scanners and researchers. Dynamic cloud sandboxes like ANY.RUN, however, can still surface its behavior by executing the sample on real Android images, revealing the full attack chain.

What are the best-known SpyNote campaigns?

  • Financial Sector Focus (2022–2023): SpyNote.C began targeting banks like HSBC, Deutsche Bank, and Kotak Bank, combining spyware and banking trojan features.
  • European Surge (June–July 2023): Cleafy reported aggressive campaigns targeting European banks via phishing and smishing.
  • Cryptocurrency Theft (2024): New variants targeted crypto wallets, using Accessibility APIs to steal gestures and initiate transfers.
  • Fake Antivirus Campaigns (2024): SpyNote posed as Avast Mobile Security, using 14 domains to distribute malware.
  • Fake Google Play Pages (2025): Recent campaigns used deceptive websites mimicking Google Play to deliver SpyNote.

Gathering Threat Intelligence on SpyNote malware

ANY.RUN’s Threat Intelligence Lookup aggregates information about Android malware samples analyzed in the Interactive Sandbox. A number of SpyNote-bearing recently encountered APKs are available for investigating and collecting IOCs:

threatName:"SpyNote"

SpyNote malware samples in ANY.RUN Malicious APKs added by the Sandbox users

Each analysis session in the Sandbox contains a number of IOCs. Use them as search requests to TI Lookup for further exploring the threat and gathering data for monitoring and detection.

IOCs from SpyNote analysis Indicators of compromise from one of SpyNote samples

You can also view processes initiated by the malware to get the full picture of its operational paradigm and explore its TTPs.

SpyNote malicious processes SpyNotes activities step by step with links to TTPs

SpyNote malicious processes continued SpyNote malicious processes, continued

Integrate ANY.RUN’s threat intelligence solutions in your company

Contact us

Conclusion

SpyNote is a sophisticated Android Remote Access Trojan (RAT) that has evolved into a significant threat since its emergence around 2016. It targets Android devices, primarily to steal sensitive data, monitor user activities, and enable remote control by cybercriminals.

It is highly dangerous due to its advanced capabilities, widespread availability, and focus on financial fraud, privacy invasion, and targeted espionage. By leveraging threat intelligence, behavioral and signature-based detection, and proactive countermeasures, users and organizations can mitigate the risks posed by SpyNote.

Engage ANY.RUN’s Threat Intelligence Lookup with 50 trial requests to collect IOCs, enhance your understanding of the malware, and enforce protection.

HAVE A LOOK AT

Cactus Ransomware screenshot
Cactus ransomware-as-a-service (RaaS) was first caught in March 2023 targeting corporate networks. It became known for its self-encrypting payload and double extortion tactics. Cactus primarily targets large enterprises across industries in finance, manufacturing, IT, and healthcare. It is known for using custom encryption techniques, remote access tools, and penetration testing frameworks to maximize damage.
Read More
Stealc screenshot
Stealc
stealc
Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.
Read More
WhiteSnake screenshot
WhiteSnake
whitesnake
WhiteSnake is a stealer with advanced remote access capabilities. The attackers using this malicious software can control infected computers and carry out different malicious activities, including stealing sensitive files and data, recording audio, and logging keystrokes. WhiteSnake is sold on underground forums and often spreads through phishing emails.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
Loader screenshot
Loader
loader downloader
A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.
Read More
GootLoader screenshot
GootLoader
gootloader
GootLoader is an initial-access-as-a-service malware that operates by delivering the GootKit banking trojan and other malicious payloads. It utilizes techniques such as fileless execution and process injection to avoid detection. The malware is often distributed through SEO poisoning and compromised websites, deceiving users into downloading infected files.
Read More