A “potent” remote access trojan (RAT) for Android devices is being downloaded onto devices through “deceptive websites” posing as Google Play Store download pages, security researchers have warned.

The newly registered domains are designed to dupe users into downloading AndroidOS SpyNote RAT malware by mimicking the install pages for popular English and Chinese apps including Google Chrome.

Investigators at threat intelligence company DomainTools said: “These websites often include an image carousel displaying screenshots of mimicked Google Play app pages to enhance the illusion of legitimacy.”

The researchers said a '<c-wiz>' element in the website back ends acted as a "container and managed component" responsible for executing the JavaScript download function that installed .apk files on the affected device.

While “no definitive attribution is currently available”, DomainTools's team suspect a China nexus group to be involved in the campaign.

DomainTools detailed the download tactics for the SpyNote malware. Image Credit: DomainTools

SpyNote is a widely known Android RAT, around since 2016, and its ability to update itself and remove its app from a device's app launcher makes it "notorious for its persistence."

Once downloaded on a device, the malware requests a long list of "intrusive permissions", giving it the ability to download apps, record phone calls, take screenshots, log key stroke data, and set up immediate C2 Communication with the attacker.

See also: Beware the phishing Morphing Meerkat, it may be posing as your email provider

As SpyNote is able to hide itself from an app launcher page, security company F-Secure said: "The next option for victims to uninstall apps would be to go to Settings à Apps [sic] and uninstall. However, SpyNote prevents this by closing the menu screen whenever the victim navigates to the app through Settings."

This means an infected device often requires a complete factory reset to remove the malware, deleting a user's data in the process.

While SpyNote is usually known to be distributed through smishing, the newly discovered technique of spinning up pages mimicking trusted sites highlights a growing trend of attackers mimicking well known, trusted sites, and often now including personalised pages, to dupe victims into clicking download.

The link has been copied!