Fake Avast Antivirus Sites Distribute SpyNote Android Malware

A new variant of SpyNote malware is mimicking Avast Mobile Security to exploit the brand's credibility, according to CYFIRMA. This malware is disseminated through phishing sites that replicate Avast’s official website, presenting itself as “Avastavv.apk” with a convincing fake icon and branding. When users download the app, it requests extensive permissions, which allows it to seize control of their device, enabling data theft and surveillance activities. The app’s request for Accessibility Service permissions helps bypass initial user scrutiny, granting itself additional access to functions like the camera and microphone by simulating user actions in the background. It displays fake notifications like “system updates” that mislead users and redirects them to malware-related settings. Additionally, the app resists removal by intercepting attempts to access its settings and pushing users back to the home screen. This tactic marks a shift from older SpyNote versions, which used more generic disguises, to leveraging a well-known security brand to widen its reach. The phishing sites are crafted to resemble legitimate antivirus download pages, featuring options for multiple platforms. On Android, the “Avast” download leads to SpyNote, while the desktop download links to AnyDesk, hinting at potential remote access exploitation. This updated SpyNote version connects to its C2 server (45.94.31[.]96) for data exfiltration and can capture images, audio, and messages across popular apps like WhatsApp and Facebook. It also targets crypto wallets such as Trust Wallet and Binance to steal financial data, reflecting a focus on cryptocurrency driven by its increased value. Users should avoid downloading apps from sources outside Google Play and regularly review app permissions to stay safe. Read more...