The Android banking trojan known as SpyNote has been extensively analyzed by analysts from the IB company F-Secure [1]. This trojan is typically spread through SMS phishing campaigns [2] [3] [4], where victims are tricked into installing the app [1]. Once installed, SpyNote gains invasive permissions to access call logs [2] [3], camera [1] [2] [3], SMS messages [1] [2] [3], and external storage [1] [2] [3]. It also hides its presence from the Android home screen and Recents screen to avoid detection [2] [3] [4]. One notable feature of SpyNote is its ability to be launched via an external trigger [1]. Once activated [1], it seeks accessibility permissions to record audio and phone calls [2] [3] [4], log keystrokes [1] [2] [3] [4], and capture screenshots [1] [2] [3] [4]. SpyNote also includes “Diehard” services that resist termination attempts and prevents uninstallation by abusing accessibility APIs [2] [3]. If a user attempts to remove the malware through the settings menu [1], the menu automatically closes using the API [1], requiring a factory reset to remove the trojan [1] [3] [4]. Additionally, there has been a detailed report on a bogus Android app that masquerades as an operating system update and exfiltrates SMS and bank data.


The presence of SpyNote poses significant risks to Android users, as it can gain access to sensitive information and evade detection. Mitigating these risks requires user awareness and caution when installing apps, especially those received through SMS phishing campaigns [4]. Additionally, developers should implement stronger security measures to prevent the installation and persistence of trojans like SpyNote. As the threat landscape continues to evolve, it is crucial for both users and developers to stay vigilant and adapt to emerging threats.