SpyNote：小心这个录音和记录通话的Android木马

The Android banking trojan known as SpyNote has been dissected to reveal its diverse information-gathering features.

已知的Android银行木马，称为SpyNote，已经被解剖，揭示出其多样的信息收集功能。

Typically spread via SMS phishing campaigns, attack chains involving the spyware trick potential victims into installing the app by clicking on the embedded link, according to F-Secure.

通常通过短信钓鱼活动传播，涉及该间谍软件的攻击链会欺骗潜在受害者，让他们通过点击嵌入的链接来安装该应用，据F-Secure称。

Besides requesting invasive permissions to access call logs, camera, SMS messages, and external storage, SpyNote is known for hiding its presence from the Android home screen and the Recents screen in a bid to make it difficult to avoid detection.

除了请求侵入性权限以访问通话记录、相机、短信消息和外部存储之外，SpyNote还以隐匿的方式存在于Android主屏幕和“最近屏幕”上，以防止被检测到。

"The SpyNote malware app can be launched via an external trigger," F-Secure researcher Amit Tambe said in an analysis published last week. "Upon receiving the intent, the malware app launches the main activity."

F-Secure的研究员Amit Tambe在上周发表的分析中表示：“SpyNote恶意应用可以通过外部触发启动。” “在接收到意图后，恶意应用启动主要活动。”

But most importantly, it seeks accessibility permissions, subsequently leveraging it to grant itself additional permissions to record audio and phone calls, log keystrokes, as well as capture screenshots of the phone via the MediaProjection API.

但最重要的是，它寻求辅助权限，随后利用它来授予自己附加权限，以录制音频和电话通话、记录按键操作，以及通过MediaProjection API捕获手机屏幕截图。

A closer examination of the malware has revealed the presence of what are called diehard services that aim to resist attempts, either made by the victims or by the operating system, at terminating it.

对恶意软件的更详细检查揭示了所谓的“顽固服务”的存在，旨在抵制受害者或操作系统终止它的尝试。

This is accomplished by registering a broadcast receiver that's designed to restart it automatically whenever it is about to be shut down. What's more, users who attempt to uninstall the malicious app by navigating to Settings are prevented from doing so by closing the menu screen via its abuse of the accessibility APIs.

这是通过注册一个旨在在即将关闭时自动重新启动它的“广播接收器”来实现的。此外，试图通过导航到设置卸载恶意应用的用户通过滥用辅助API来防止这样做。

"The SpyNote sample is spyware that logs and steals a variety of information, including key strokes, call logs, information on installed applications, and so on," Tambe said. "It stays hidden on the victim's device making it challenging to notice. It also makes uninstallation extremely tricky."

Tambe说：“SpyNote样本是一种记录和窃取各种信息的间谍软件，包括按键操作、通话记录、已安装应用程序的信息等。” “它潜伏在受害者的设备上，很难察觉。卸载它也变得非常棘手。”

"The victim is eventually left only with the option of performing a factory reset, losing all data, thereby, in the process."

“受害者最终只剩下进行恢复出厂设置的选项，从而在过程中丢失所有数据。”

The disclosure comes as the Finnish cybersecurity firm detailed a bogus Android app that masquerades as an operating system update to entice targets into granting it accessibility services permissions and exfiltrate SMS and bank data.

这一披露出现在芬兰网络安全公司详细介绍了一款伪装成操作系统更新的虚假Android应用程序的时候，以诱使目标授予它的辅助服务权限并外泄短信和银行数据。

原文始发于微信公众号（知机安全）：SpyNote：小心这个录音和记录通话的Android木马