Researchers at the Italian cybersecurity firm D3Lab have discovered a new malware attack featuring the SpyNote Android malware. The attackers have disguised the malware as an app for a public alert service, namely the IT Alert service operated by the Department of Civil Protection under the Italian government. The malware-laced fake app can steal the victim’s login credentials and other sensitive data from the device.
Malware-laced IT Alert app is targeting Android users in Italy
Italy’s IT Alert service provides citizens with alerts and information about various disasters and serious emergencies. It broadcasts emergency messages to mobile phones during floods, earthquakes, wildfires, and other calamities. Threat actors created a fake website imitating the government service to distribute malware. The website warns about the possibility of a “national earthquake” due to an upcoming volcanic eruption.
It urges users to install the IT-Alert app for more details, including the regions that may see the worst effects of the disaster. The website has a download button that downloads the “IT-Alert.apk” file on Android devices. The button redirects users to the official website when clicked through a PC or an iPhone. Unsuspecting Android users would think it’s a genuine app and install it to get more information about the seemingly nearing danger.
Little do they know that they have invited the danger to their phone. The APK file installs the SpyNote malware on the device and grants the app permission to use accessibility services, D3Lab reports. This effectively allows the app to run in the background with remote access capabilities. The attacker can then perform a wide range of malicious activities on the device, including stealing sensitive data and files.
The malware can capture and send photos and videos to servers operated by the attacker. It can also record calls, log key presses, and obtain login credentials and two-factor authentication (2FA) codes for banking apps and other online platforms. In short, the threat actor gains full control of the compromised device. They can do just about anything without the user noticing it. The use of accessibility services makes it difficult for users to uninstall the app.
Sideloading apps is always dangerous
The SpyNote Android malware has been around for a few years now. This is reportedly its third version (SpyNote.C). Over the years, we have seen many variants of the malware, some of which were distributed as banking apps or more generic Android apps such as the Google Play Store, Play Protect, WhatsApp, and Facebook. When a campaign is busted, threat actors quickly come up with new solutions.
However, the real problem is users not being vigilant when sideloading apps. Installing apps from unknown sources is always a danger. If it’s a genuine app, it must be available in official stores, including the Play Store. You should download it from those sources. Threat actors distribute malware or other dangerous codes through apps downloaded from unknown sources. We recently saw something similar in a spyware attack in Israel.
Google has confirmed that no app in the Play Store has the SpyNote malware. “Based on our current detection, no apps containing this spyware are found on Google Play. Google implemented user protections for this spyware ahead of this report’s publication,” the company told Bleeping Computer. “Users are protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services.”
