cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Banks targeted by Android-based malware

Financial institutions worldwide have become the target of a new version of a popular spyware tool designed to infect Android devices.

user icon Daniel Croft
Fri, 13 Jan 2023
Banks targeted by Android-based malware
expand image

SpyNote is a popular malware that allows users to spy on and modify infected android devices. It infects devices by deceiving android users under the guise that it is another app, such as Facebook or WhatsApp.

It is also capable of accessing the camera, meaning users are able to directly spy on the device’s owner, raising concerns beyond financial safety.

SpyNote.C is the latest version, and according to ThreatFabric, it is the first release of the spyware that has placed a particular interest in targeting financial institutions, disguising itself as a banking app.


Several institutions have been affected to date, with SpyNote.C disguising itself as the banking app for several organisations, including HSBC, Deutsche Bank, Kotak Bank, and BurlaNubank.

It will also ask users for a wide range of accessibility permissions, which, when granted, will extract two-factor authentication codes through the Google Authenticator app, and steal app credentials by tricking a user into logging in and providing their details.

Between August 2021 and October 2022, at least 80 people reportedly purchased SpyNote.C, which was being sold on a Telegram channel under the alias CypherRat.

In the final quarter of 2022, reports of SpyNote.C attacks dramatically increased after the code for CypherRat was leaked onto GitHub. Bad actors also targeted other bad actors, pretending to sell the software.

Researchers at ThreatFabric have suggested that because of the leak, more and more versions of SpyNote will appear.

Furthermore, they predict that “SpyNote will keep using Accessibility Service to collect essential data from users’ devices and that it will be able to develop towards a successful distribution”, whilst additional security measures to protect the software continue to be developed.

Android users should remain aware of the software, only download applications from trusted sources, such as the Google Play Store rather than third-party websites, and be wary of what permissions applications ask for.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.