Mobile device security: focus on three threats to Android

Threat Discovery Telsy TS WAY Cyber Threat Intelligence

Threat Discovery is an editorial space of Telsy and TS-WAY dedicated to in-depth analysis of cyber threat intelligence at a global level.

The information reported is the outcome of the collection and analysis work done by TS-WAY specialists for the TS-Intelligence platform.

This article presents three specific threats to Android systems that combine multiple functionalities.

 

SpyNote, spyware with banking trojan features

SpyNote is a family of Android malware that showed a dramatic increase in traces during 2023 and maintained a high activity level in 2024.

La sicurezza dei dispositivi mobile focus su tre minacce per Android Telsy TS WAY bankThe reports mostly involve malicious code derived from the CypherRat variant, which combines spyware capabilities with banking Trojan functionality. Its author marketed it through private Telegram channels from August 2021 to October 2022. Then, following a series of scamming incidents in hacking forums, he decided to release the source on GitHub.

The ability to modify the code according to the specific needs of individual criminals and the wide range of functions greatly facilitated the global spread of SpyNote. In Italy, according to some sources, it has emerged as one of the most detected spyware.

Among the campaigns tracked as of August 2023 was one that targeted European customers of several banks, exploiting a smishing wave as a vector. Targets were tricked into downloading a legitimate TeamViewer QuickSupport app from the Google Play Store, which was supposed to be used for technical support and was instead used to install RAT on devices.

More recently, SpyNote pretended to be an INPS Mobile app, which could be downloaded from a fraudulent webpage designed in great detail to look like the Social Security Administration’s legitimate one.

 

Irata, a banking trojan with spyware capabilities

Irata, whose name is supposed to stand for “Iranian remote access tool android,” is a banking trojan for Android with spyware capabilities. Active since at least 2022, the malware has been featured in several attacks that have also hit Italy.

Notably, in January 2024, campaigns were tracked that mimicked reports from banking institutions such as Mediobanca and CheBanca! Victims were supposedly reached by SMS containing a URL from which a malicious APK is downloaded.

The information Irata can collect includes credit card details and two-factor authentication (2FA) tokens. In addition, it can turn the infected device into a bot for sending additional SMS and thus propagating the campaign. Data exfiltration occurs to several specially created Telegram channels.

Some analysis has led to the discovery that the adversary distributing Irata has a repository with APK files used to target users of BNL, Spanish mobile payment service Bizum, and Caixa bank.

 

Rafel RAT, between cyber espionage and ransomware.

The open source Android tool Rafel RAT supports numerous malicious activities, from remote control, to exfiltration of sensitive data, credentials and access tokens. But one of the most widely used is ransomware.

Exploited in at least 120 global campaigns, it has claimed victims mainly in the United States, China, and Indonesia. In addition, infections are reported in Italy, France, Germany and Russia. Among the impacted entities are high-profile organizations, some active in the defense sector.

La sicurezza dei dispositivi mobile focus su tre minacce per Android Telsy TS WAY loghiIn most cases, Rafel RAT affected Samsung devices. To a lesser extent, Google (Pixel, Nexus), Xiaomi, Vivo, Huawei, LG, Motorola, and OnePlus devices were breached. Although the malware has performed better on unsupported versions of the operating system (specifically, Android 5, 8, and 11), infections of Android 12 and 13 are known to occur.

Extortion attacks can be carried out in at least two ways. Once DeviceAdmin privileges are obtained, Rafel RAT can prevent the user from revoking privileges by setting the lock screen with a new password. Alternatively, it can encrypt files using the AES algorithm with a predefined key, or it can delete files from the device’s memory. The ransom demand is displayed in a text message, written in Arabic and English, which links to a Telegram channel controlled by the attackers.

Campaigns related to this threat can be traced to very disparate contexts. One ransomware offensive was allegedly run by attackers located in Iran. In addition, a hacktivist campaign, claimed by a member of Anonymous Egypt who signs himself LoaderCrazy, targeted a government website in Pakistan. Finally, users of Rafel RAT would include the Indian APT Dropping Elephant, which exploited it along with several other threats in a complex cyberespionage campaign.

 

Telsy and TS-WAY

Telsy_TS WAYTS-WAY is a company that develops technologies and services for medium and large-sized organizations, with a unique in Italy for cyber threat intelligence expertise. Founded in 2010, TS-WAY has been part of Telsy since 2023.

Is configured as an effective extension of the client organization, supporting the in-house team for intelligence and investigation activities, cyber incident response, and systems security verification activities.

TS-WAY’s experience is internationally recognized and is corroborated by large private organizations in finance, insurance, defense, energy, telecommunications, transportation, technology, and by government and military organizations that have used the services of this Italian company over time.

 

TS-WAY’s Services and Solutions

With several vertical teams of security analysts and researchers with technical and investigative expertise, and internationally recognized experience, TS-WAY provides all the assistance needed to align an organization’s security program with its risk management objectives.

Its services offer a preventive and comprehensive approach to security to protect clients’ assets and business continuity.

Its technology solutions transform global threat data into strategic, tactical, operational, and technical intelligence.

 

TS-Intelligence

TS-Intelligence_Telsy_Platform-2TS-Intelligence is a proprietary, flexible, and customizable solution that provides organizations with a detailed risk landscape.

It is presented as a Web-usable, full-API platform that can be operated within an organization’s defensive systems and infrastructure, to strengthen protection against complex cyber threats.

Constant research and analysis on threat actors and emerging networked threats, both in APT and cybercrime, produces a continuous information flow of an exclusive nature that is made available to organizations in real-time and processed into technical, strategic, and executive reports.

 

Learn more about TS-WAY’s services.