This Android malware is spreading like wildfire after going open source – how to stay safe

Green skull on smartphone screen.
(Image credit: Shutterstock)

We could potentially see even more malicious apps spreading Android malware than we did last year now that the source code of a popular malware strain has been posted online.

During the final quarter of 2022, there was a significant increase in detections of the SpyNote or SpyMax Android malware family. This was attributed to the fact that the creator of CypherRat – which is based on SpyNote – posted the malware strain’s source code on GitHub.

What makes CypherRat particularly dangerous is that it combines SpyNote’s spying capabilities which include remote access, GPS tracking and device status and activity updates with features found in banking trojans used to impersonate popular banks and steal users’ account credentials according to BleepingComputer (opens in new tab).

Although CypherRat was initially sold through private Telegram channels between August of 2021 and October of 2022, its creator eventually decided to make the malware open source after other cybercriminals impersonated the project on hacking forums.

Custom CypherRat variants

Android malware on phone

(Image credit: Shutterstock)

With the source code to CypherRat in hand, cybercriminals began launching their own campaigns using the malware. Shortly after the malware’s source code was published on GitHub, custom variants of CypherRat began to appear online impersonating Bank of America, HSBC, Deutsche Bank and other popular banks.

However, other cybercriminals used CypherRat’s source code to target a wider audience by creating fake versions of popular apps including the Google Play Store, WhatsApp and Facebook.

In a blog post (opens in new tab) detailing its investigation into the matter, ThreatFabric revealed that it had also observed attackers creating malicious apps impersonating utilities like wallpaper and productivity apps as well as gaming apps.

Now that CypherRat’s source code is out in the open, we’ll likely see other malicious apps being used to infect the best Android phones and tablets with this powerful malware.

Abusing accessibility features to spy on users

Just like with other malware strains, CypherRat and other SpyNote variants leverage Android’s built-in Accessibility Service to install new apps, intercept text messages to bypass two-factor authentication (2FA), listen in on calls and record video and audio on infected devices.

In addition to this, SpyNote can be used to steal Facebook and Google account credentials, record and send videos from an infected device to an attacker-controlled server, extract codes from Google Authenticator and log key presses to steal banking credentials.

While CypherRat is mainly being used as a banking trojan at the moment, it could also be used as spyware due to its ability to record video, take pictures and capture keystrokes.

How to stay safe from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

SpyNote, CypherRat and other Android malware is mainly spread through phishing sites, third-party app stores and social media. This is why you need to be extremely careful when clicking on links and attachments in emails, messages or even social media posts.

However, the easiest way to stay safe from Android malware is to avoid sideloading apps despite how tempting doing so may be. Instead, you want to only download apps from official app stores like the Google Play Store, Samsung Galaxy Store and the Amazon Appstore. 

Even then, bad apps do manage to slip through Google and other tech giants’ defenses from time to time which is why you should ensure that Google Play Protect is enabled and running on all of your Android devices. In an email to Tom's Guide, a Google spokesperson explained how Google Play Protect can help keep your devices safe from malware, saying: 

“Google Play Protect checks Android devices with Google Play Services for potentially harmful apps from other sources. Users are protected by Google Play Protect, which can warn users or block identified malicious apps on Android devices.”

For additional protection though, you may also want to consider installing one of the best Android antivirus apps as they work alongside Google Play Protect to keep your devices even more secure.

Another thing to watch out for is apps requesting Accessibility permissions after installation. While some legitimate apps do need these permissions in order to work properly, you need to be extra cautious when granting these kinds of permissions. You also want to look at reviews and ratings before installing any new app and it’s a good idea to look for external reviews (preferably video reviews) so that you can ensure an app really does what its listing page says.

Android malware and malicious apps used to spread malware were a huge problem last year but with CypherRat’s source code being readily available online, 2023 may even be a worse year for Android security.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.