The malware works behind the scenes, preparing its attacks...
The malware works behind the scenes, preparing its attacks...

The Zscaler ThreatLabZ research team has discovered a fake Netflix app, which conceals a well-crafted piece of spyware they call SpyNote RAT (remote access Trojan).

Available in third-party app stores, the spoofed app uses a number of tricks to convince users that it's genuine including using the Netflix logo as its icon.

As soon as the user clicks the spyware's icon for the first time, nothing seems to happen and the icon disappears from the homescreen. This is a common trick played by malware developers, making the user think the app has been removed.

But, behind the scenes, the malware is still there, preparing its attacks.

Zscaler says SpyNote can perform a variety of alarming functions including:

  • Activating the device's microphone and listening to live conversations
  • Executing commands on the device
  • Copying files from the device to a Command & Control (C&C) server centre
  • Recording screen captures
  • Viewing contacts
  • Reading SMS messages

For contacting C&C, the spyware was found to be using free DNS services.

SpyNote RAT uses an unusual trick to make sure that it remains up and running and that the spying does not stop. It does so using the services, broadcast receivers and activities components of the Android platform.

Services can perform long-running operations in the background and does not need a user interface. Broadcast receivers are Android components that can register themselves for particular events. Activities are key building blocks, central to an app's navigation, for example.

According to Zscaler, signatures show the spyware was a product of a spyware Trojan builder called SpyNote, which was leaked last year. “The Netflix spyware we are analysing seems to have been built using an updated version of SpyNote,” they said.

Furthermore, we found that in just the first two weeks of 2017, there have been more than 120 such spyware variants already built using the same SpyNote Trojan builder as SpyNote RAT and roaming in the wild.

The SpyNote RAT registers a service called AutoStartup and a broadcast receiver named BootComplete. MainActivity registers BootComplete with a boot event, so that whenever the device is booted, BootComplete gets triggered. BootComplete starts the AutoStartup service and the AutoStartup service makes sure that MainActivity is always running.

The firm said: “Because mobile devices are everywhere, malware is everywhere, too. That's why Zscaler advises all mobile users to take precautions when downloading anything to their devices, including apps.”

It added: “In particular, avoid side-loading apps from third-party app stores and avoid the temptation to play games that are not yet available on Android. Yes, we are talking about SuperMarioRun, which was recently launched by Nintendo only for iOS users. Recent blogs by the Zscaler research team explain how some variants of Android malware are exploiting the popularity of this game and tricking Android users into downloading a fake version.”