Security News Fake Netflix App Relentlessly Spies on All Mobile Activity

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
An espionage trojan called SpyNote RAT has been found masquerading as the popular Netflix app, to trick Android users into downloading it. It then sets about constantly eavesdropping on user activity.

Zscaler’s ThreatlabZ said that once installed, the malware is capable of activating the device’s microphone and listening to live conversations; uninstalling antivirus software; copying files from the device to the hacker’s server; recording screen captures; viewing contacts; reading SMS messages; and gaining remote control of the device.

To the latter point, command execution can create havoc for victim if the malware developer decides to execute commands in the victim’s device. Leveraging this feature, the malware developer can root the device using a range of vulnerabilities, well-known or zero-day.

“The spyware in this analysis was portraying itself as the Netflix app. Once installed, it displayed the icon found in the actual Netflix app on Google Play,” researchers explained, in an analysis. “As soon as the user clicks the spyware’s icon for the first time, nothing seems to happen and the icon disappears from the home screen. This is a common trick played by malware developers, making the user think the app may have been removed. But, behind the scenes, the malware has not been removed; instead it starts preparing its onslaught of attacks.”

SpyNote RAT also uses an unusual trick to make sure that it remains up and running and that the spying does not stop. It uses something called BootComplete, which is a broadcast receiver—an Android component that can register itself for a particular event. In this case, whenever the device is booted, BootComplete gets triggered. BootComplete then starts the AutoStartup service, which can perform long-running operations in the background and does not need a user interface. And then the AutoStartup service makes sure that the RAT’s core functionality is always running.

The team also found several other fake apps developed using the SpyNote builder, including faux versions of Whatsapp, YouTube Video Downloader, Google Update, Instagram, AirDroid, Faceboo, Photoshop, SkyTV, Hotstar, Trump Dash and PokemonGo.

Overall, in just the first two weeks of 2017, there have been more than 120 such spyware variants already built using the same SpyNote Trojan builder as SpyNote RAT and roaming in the wild, the researchers noted.

“The days when one needed in-depth coding knowledge to develop malware are long gone,” they said. “Nowadays, script kiddies can build a piece of malware that can create real havoc. Moreover, there are many toolkits like the SpyNote Trojan builder that enable users to build malware with ease and few clicks. Because mobile devices are everywhere, malware is everywhere, too. That’s why Zscaler advises all mobile users to take precautions when downloading anything to their devices, including apps.”

In particular, users should avoid side-loading apps from third-party app stores and avoid the temptation to download and play games that are not yet officially available on Android.
 
W

Wave

Obviously it's not a positive thing but for some reason I find it pretty funny. I can just imagine a couple getting ready for "Netflix & Chill" only t find that it isn't really Netflix, it's their text messages being spied on or something similar. LOL :D :D

I normally go to sleep at 12am when I have college the next day but when I go to "sleep" I really mean... I watch a film on Netflix until 2am. So if this happened to me I wouldn't be happy to get my daily dose haha :p

Thanks for sharing :)
 
Last edited by a moderator:

Cats-4_Owners-2

Level 39
Verified
Honorary Member
Top Poster
Well-known
Dec 4, 2013
2,800
Thank you, Exterminator, for reminding us of how our security fortress is ever dependent on what and whom we allow to cross the proverbial drawbridge to enter into The Android Citadel which is housed by our mobile device.

..and @Wave, "do" get enough sleep so you won't end up like that imaginary couple, lol!:p
It may even lift your grades to new heights as well (let's hope).;)
 
  • Like
Reactions: Wave
W

Wave

It may even lift your grades to new heights as well (let's hope).;)
I don't think I got even a C for any of my GCSEs last year so I'm redoing the essentials alongside college... I would've got better but it was my own fault and I had it coming. At the end of the day, make sure you attend your exams while in a sober state... Lesson learnt!
 
  • Like
Reactions: Cats-4_Owners-2

Paul123

Level 4
Verified
Well-known
Dec 9, 2016
174
For the same reason that some people would download any other fake software from the internet... They don't know what they're doing and get tricked.
There are times when you would download 'legitimate' apps from the internet that aren't in the store. f.lux for IoS used to only be available this way, because Apple refused to allow it (mainly because they wanted to pinch the idea and claim it as their own in later IoSs I think) and there were other apps, like one that gave a dynamic weather icon that Apple wouldn't allow, as they have a policy that offical IoS third party apps can't have dynamic icons, only default apps (created by Apple) can.

That said on Android I'm not aware of any kind of policies like this, so assume like @Zero Knowledge said it was probably a cracked version.

It does show an increasing trend of hackers and scammers targeting mobile devices, rather than just PCs. I wonder if this is due to the increase in security on PCs, or the increase in people having these types of phones, making them a greater target.
 
Last edited:
  • Like
Reactions: Cats-4_Owners-2
W

Wave

There are times when you would download 'legitimate' apps from the internet that aren't in the store.
Yes, but that doesn't change the fact that you should still do the research and perform checks. If you don't do this and download it, then you've fell for the trap... Most of it evolves around social engineering and user intervention is almost always required (not always in very rare situations where a website is compromised and exploits the browser to infect you - you were just visiting a trusted site so it wasn't really your fault).

Social engineering is the malware authors key, and social engineering is the target you need a strength in to stay secure these days. One simple advertisement telling you your system is infected is enough to trick some people, whereas stronger people need more work done to be tricked.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top