Extracted

• • Target

    AIRTEL REFUND PROCESS_97.28.53.27.apk

  • Size

    3.5MB

  • MD5

    5cc90b791fbda38b1b0ff8e452551837

  • SHA1

    f4b72f5fcb27cd0077cb3bb191e82f6f5c3080cd

  • SHA256

    6401e54e09d8b0c46eafde1a268cd4fb7cf76b89207782b836abdbff8ece55aa

  • SHA512

    8775e7c6829dc7f6be3de6bb7330e601394b0f5759f13016576322055263a960505d19182922562bedcb36e786572d8fe96479cdcc5026af4f8fddb60bc9af1f

  • SSDEEP

    49152:0xbikYtquzGzwp3Zu7HSBfEKurSkQI4rEWi3rhc9dhhtuma0K+acCaKgmIT9MB9T:XsukN2ddZkQ5r+IvXVUFBa8JSy

  Score

  10^/10

  spynotebankercollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceratstealthtrojan

  • Spynote

    Spynote is a Remote Access Trojan first seen in 2017.

    bankertrojaninfostealerratspynote

  • Spynote family

    spynote

  • Spynote payload

  • Removes its main activity from the application launcher

    stealthtrojanevasion

  • Loads dropped Dex/Jar

    Runs executable file dropped to the device during analysis.

    evasion

  • Makes use of the framework's Accessibility service

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

    bankerdiscovery

  • Acquires the wake lock

  • Makes use of the framework's foreground persistence service

    Application may abuse the framework's foreground service to continue running in the foreground.

    defense_evasionpersistence

  • Performs UI accessibility actions on behalf of the user

    Application may abuse the accessibility service to prevent their removal.

    evasion

  • Queries information about active data network

    discovery

  • Requests disabling of battery optimizations (often used to enable hiding in the background).

    defense_evasion

  • Requests enabling of the accessibility settings.

  behavioral1behavioral2behavioral3