www.mcafee.com
Open in
urlscan Pro
104.102.58.198
Public Scan
URL:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-spynote-attacks-electric-and-water-public-utility-users-in...
Submission: On July 29 via api from US — Scanned from DE
Submission: On July 29 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
https://www.mcafee.com/blogs
<form class="desktop-search-form-v2" action="https://www.mcafee.com/blogs">
<div><span class="search_icon_desktop"> <img src="/blogs/wp-content/themes/securingtomorrow-brillio/img/new-icons/search_icon_black.svg" alt="search grey icon"> </span></div>
<div class="desktop-search-div"><input class="dsk-search" autocomplete="off" name="s" type="text" placeholder="Search"></div>
</form>https://www.mcafee.com/blogs
<form class="desktop-search-form" style="display: none;" action="https://www.mcafee.com/blogs">
<div class="desktop-search-div"><input class="dsk-search" autocomplete="off" name="s" type="text" placeholder="Type and hit enter..."></div>
<div><span class="close_icon_desktop"> <img src="https://www.mcafee.com/blogs/wp-content/themes/securingtomorrow-brillio/img/new-icons/cross-grey-icon.svg" alt="close grey icon"> </span></div>
</form>https://www.mcafee.com/blogs
<form class="form-inline my-2 my-lg-0" action="https://www.mcafee.com/blogs">
<div class="input-group mb-3 search-div">
<div class="input-group-append"><button class="sarch-btn" type="button"><span class="fa fa-search" title="Type and hit enter..."><span style="display: none;">.</span></span> </button>
</div>
</div>
</form>https://www.mcafee.com/blogs
<form action="https://www.mcafee.com/blogs" class="desktop-search-form" style="display: none;">
<div class="desktop-search-div">
<input class="dsk-search" name="s" type="text" placeholder="Type and hit enter..." autocomplete="off">
</div>
<div><span class="close_icon_desktop">
<img src="https://www.mcafee.com/blogs/wp-content/themes/securingtomorrow-brillio/img/new-icons/cross-grey-icon.svg" alt="close grey icon">
</span>
</div>
</form>Text Content
* Products
* All-In-One Protection Recommended
* NEW!
McAfee+ Products
Worry-free protection for your privacy, identity and all your personal
devices.
Individual and family plans
* NEW!
McAfee+ Ultimate
Our most comprehensive privacy, identity and device protection with $1M
ID theft coverage.
* Total Protection
Protection for your devices with identity monitoring and VPN
* Device Protection
* Antivirus
* Virtual Private Network (VPN)
* Mobile Security
* Free Tools & Downloads
* Web Protection
* Free Antivirus Trial
* Device Security Scan
* Other Services
* PC Optimizer
* Techmaster Concierge
* Virus Removal
* Features
* Keep Me Private Online
* Personal Data Cleanup
* VPN (Virtual Private Network)
* Safeguard My Identity
* Identity Monitoring
* Security Freeze
* Identity Theft Coverage & Restoration
* Password Manager
* Protect My Devices
* Antivirus
* Web Protection
* Protect My Family
* Protection Score
* Parental Controls
* About Us
* Our Company
* Company Overview
* Awards & Reviews
* Investors
* Our Efforts
* Inclusion & Diversity
* Integrity & Ethics
* Public Policy
* Join Us
* Careers
* Life at McAfee
* Our Teams
* Our Locations
* Resources
* Stay Updated
* McAfee Blog
* Reports and Guides
* McAfee Labs
* McAfee on YouTube
* Learn More
* Learn at McAfee
* What is Antivirus?
* What is a VPN?
* What is Identity Theft?
* Press & News
* McAfee Newsroom
* Why McAfee
Products
Recommended
All-In-One Protection
NEW! McAfee+ Products
Worry-free protection for your privacy, identity and all your personal devices.
Individual and family plans
NEW! McAfee+ Ultimate
Our most comprehensive privacy, identity and device protection with $1M ID theft
coverage.
Total Protection
Protection for your devices with identity monitoring and VPN
Device Protection
Antivirus
Virtual Private Network (VPN)
Mobile Security
Free Tools & Downloads
Web Protection
Free Antivirus Trial
Device Security Scan
Other Services
PC Optimizer
Techmaster Concierge
Virus Removal
Features
Keep Me Private Online
Personal Data Cleanup
VPN (Virtual Private Network)
Safeguard My Identity
Identity Monitoring
Security Freeze
Identity Theft Coverage & Restoration
Password Manager
Protect My Devices
Antivirus
Web Protection
Protect My Family
Protection Score
Parental Controls
About Us
Our Company
Company Overview
Awards & Reviews
Investors
Our Efforts
Inclusion & Diversity
Integrity & Ethics
Public Policy
Join Us
Careers
Life at McAfee
Our Teams
Our Locations
Resources
Stay Updated
McAfee Blog
Reports and Guides
McAfee Labs
McAfee on YouTube
Learn More
Learn at McAfee
What is Antivirus?
What is a VPN?
What is Identity Theft?
Press & News
McAfee Newsroom
Why McAfee
Support
Help
Customer Support
Support Community
FAQs
Contact Us
Activation
Activate Retail Card
Choose Region
Sign in
* Support
* Help
* Customer Support
* Community
* FAQs
* Contact Us
* Activation
* Activate Retail Card
*
* Sign in
*
* Blog
* Topics
Internet Security Mobile Security Family Safety Privacy & Identity Protection
Security News Tips & Tricks
* At McAfee
McAfee News Executive Perspectives McAfee Labs Life at McAfee Hackable?
Podcast
* English
* Portuguese (BR)
* Spanish
* French(FR)
* German
* Italian
* Japanese
* French(CA)
* Portuguese (PT)
* Spanish (MX)
*
* Blog
* Topics
Internet Security Mobile Security Family Safety Privacy & Identity Protection
Security News Tips & Tricks
* At McAfee
McAfee News Executive Perspectives McAfee Labs Life at McAfee Hackable?
Podcast
* .
* Portuguese (BR) Spanish French(FR) German Italian Japanese French(CA)
Portuguese (PT) Spanish (MX)
Blog Other Blogs McAfee Labs Android SpyNote attacks electric and water public
utility users in Japan
ANDROID SPYNOTE ATTACKS ELECTRIC AND WATER PUBLIC UTILITY USERS IN JAPAN
McAfee Labs
Jul 21, 2023
5 MIN READ
Authored by Yukihiro Okutomi
McAfee’s Mobile team observed a smishing campaign against Japanese Android users
posing as a power and water infrastructure company in early June 2023. This
campaign ran for a short time from June 7. The SMS message alerts about payment
problems to lure victims to a phishing website to infect the target devices with
a remote-controlled SpyNote malware. In the past, cybercriminals have often
targeted financial institutions. However, on this occasion, public utilities
were the target to generate a sense of urgency and push victims to act
immediately. Protect your Android and iOS mobile devices with McAfee Mobile
Security.
SMISHING ATTACK CAMPAIGN
A phishing SMS message impersonating a power or water supplier claims a payment
problem, as shown in the screenshot below. The URL in the message directs the
victim to a phishing website to download mobile malware.
Notice of suspension of power transmission because of non-payment of charges
from a power company in Tokyo (Source: Twitter)
Notice of suspension of water supply because of non-payment of charges from a
water company in Tokyo (Source: Twitter)
When accessed with a mobile browser, it will start downloading malware and
display a malware installation confirmation dialog.
The confirmation dialog of Spyware installation via browser (Source: Twitter)
SPYNOTE MALWARE
SpyNote is a known family of malware that proliferated after its source code was
leaked in October 2022. Recently, the malware was used in a campaign targeting
financial institutions in January and targeting Bank of Japan in April 2023.
The SpyNote malware is remotely controlled spyware that exploits accessibility
services and device administrator privileges. It steals device information and
sensitive user information such as device location, contacts, incoming and
outgoing SMS messages, and phone calls. The malware deceives users by using
legitimate app icons to look real.
Application Icons disguised by malware.
After launching the malware, the app opens a fake settings screen and prompts
the user to enable the Accessibility feature. When the user clicks the arrow at
the bottom of the screen, the system Accessibility service settings screen is
displayed.
A fake setting screen (left), system setting screen (center and right)
By allowing the Accessibility service, the malware disables battery optimization
so that it can run in the background and automatically grants unknown source
installation permission to install another malware without the user’s knowledge.
In addition to spying on the victim’s device, it also steals two-factor
authentication on Google Authenticator and Gmail and Facebook information from
the infected device.
Although the distribution method is different, the step of requesting
Accessibility service after launching the app is similar to the case of the Bank
of Japan that occurred in April.
Scammers keep up with current events and attempt to impersonate well-known
companies that have a reason to reach out to their customers. The mobile malware
attack using SpyNote discovered this time targets mobile apps for life
infrastructure such as electricity and water. One of the reasons for this is
that electric bills and water bills, which used to be issued on paper, are now
managed on the web and mobile app. If you want to learn about smishing, consult
this article “What Is Smishing? Here’s How to Spot Fake Texts and Keep Your Info
Safe”. McAfee Mobile Security detects this threat as Android/SpyNote and alerts
mobile users if it is present and further protects them from any data loss. For
more information, visit McAfee Mobile Security.
INDICATORS OF COMPROMISE (IOC)
C2 Server:
* 104.233.210.35:27772
Malware Samples:
SHA256 Hash Package name Application name
075909870a3d16a194e084fbe7a98d2da07c8317fcbfe1f25e5478e585be1954
com.faceai.boot キャリア安全設定
e2c7d2acb56be38c19980e6e2c91b00a958c93adb37cb19d65400d9912e6333f
com.faceai.boot 東京電力
a532c43202c98f6b37489fb019ebe166ad5f32de5e9b395b3fc41404bf60d734
com.faceai.boot 東京電力TEPCO
cb9e6522755fbf618c57ebb11d88160fb5aeb9ae96c846ed10d6213cdd8a4f5d
com.faceai.boot 東京電力TEPCO
59cdbe8e4d265d7e3f4deec3cf69039143b27c1b594dbe3f0473a1b7f7ade9a6
com.faceai.boot 東京電力TEPCO
8d6e1f448ae3e00c06983471ee26e16f6ab357ee6467b7dce2454fb0814a34d2
com.faceai.boot 東京電力TEPCO
5bdbd8895b9adf39aa8bead0e3587cc786e375ecd2e1519ad5291147a8ca00b6
com.faceai.boot 東京電力TEPCO
a6f9fa36701be31597ad10e1cec51ebf855644b090ed42ed57316c2f0b57ea3c
com.faceai.boot 東京電力TEPCO
f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422
com.faceai.boot 東京電力TEPCO
755585571f47cd71df72af0fad880db5a4d443dacd5ace9cc6ed7a931cb9c21d
com.faceai.boot 東京電力TEPCO
2352887e3fc1e9070850115243fad85c6f1b367d9e645ad8fc7ba28192d6fb85
com.faceai.boot 東京電力TEPCO
90edb28b349db35d32c0190433d3b82949b45e0b1d7f7288c08e56ede81615ba
com.faceai.boot 東京電力TEPCO
513dbe3ff2b4e8caf3a8040f3412620a3627c74a7a79cce7d9fab5e3d08b447b
com.faceai.boot 東京電力TEPCO
f6e2addd189bb534863afeb0d06bcda01d0174f5eac6ee4deeb3d85f35449422
com.faceai.boot 東京電力TEPCO
0fd87da37712e31d39781456c9c1fef48566eee3f616fbcb57a81deb5c66cbc1
com.faceai.boom 東京水道局アプリ
acd36f7e896e3e3806114d397240bd7431fcef9d7f0b268a4e889161e51d802b
com.faceai.boom 東京水道局アプリ
91e2f316871704ad7ef1ec74c84e3e4e41f557269453351771223496d5de594e
com.faceai.boom 東京水道局アプリ
DOWNLOAD MCAFEE MOBILE SECURITY
McAfee Mobile Security – Protection for Android and iOS
Download McAfee Mobile Security Today
Stay Updated
Follow us to stay updated on all things McAfee and on top of the latest consumer
and mobile security threats.
McAfee Labs Threat Research Team
McAfee Labs is one of the leading sources for threat research, threat
intelligence, and cybersecurity thought leadership. See our blog posts below for
more information.
MORE FROM MCAFEE LABS
Previous
GOLDOSON: PRIVACY-INVASIVE AND CLICKER ANDROID ADWARE FOUND IN POPULAR APPS IN
SOUTH KOREA
Authored by SangRyol Ryu McAfee’s Mobile Research Team discovered a software
library we’ve named Goldoson, which collects...
Apr 12, 2023 | 8 MIN READ
THE RISING TREND OF ONENOTE DOCUMENTS FOR MALWARE DELIVERY
Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M McAfee Labs has
recently observed a new Malware campaign which used...
Mar 30, 2023 | 11 MIN READ
THE RISE AND RISKS OF AI ART APPS
Authored by Fernando Ruiz The popularity of AI-based mobile applications that
can create artistic images based on...
Jan 25, 2023 | 7 MIN READ
FAKE SECURITY APP FOUND ABUSES JAPANESE PAYMENT SYSTEM
Authored by SangRyol Ryu and Yukihiro Okutomi McAfee’s Mobile Research team
recently analyzed new malware targeting mobile...
Nov 30, 2022 | 5 MIN READ
SCAMMERS FOLLOW THE REBRANDING OF TWITTER TO X, TO DISTRIBUTE MALWARE
Authored by: Vallabh Chole and Yerko Grbic On July 23rd, 2023, Elon Musk
announced that the social...
Jul 25, 2023 | 3 MIN READ
CLOP RANSOMWARE EXPLOITS MOVEIT SOFTWARE
Authored by: Abhishek Karnik and Oliver Devane You may have heard recently in
the news that several...
Jun 21, 2023 | 3 MIN READ
GULOADER CAMPAIGNS: A DEEP DIVE ANALYSIS OF A HIGHLY EVASIVE SHELLCODE BASED
LOADER
Authored by: Anandeshwar Unnikrishnan Stage 1: GULoader Shellcode Deployment In
recent GULoader campaigns, we are seeing a...
May 09, 2023 | 22 MIN READ
NEW WAVE OF SHTML PHISHING ATTACKS
Authored By Anuradha McAfee Labs has recently observed a new wave of phishing
attacks. In this wave,...
May 08, 2023 | 5 MIN READ
DECONSTRUCTING AMADEY’S LATEST MULTI-STAGE ATTACK AND MALWARE DISTRIBUTION
Authored by By Yashvi Shah McAfee Labs have identified an increase in
Wextract.exe samples, that drop a...
May 05, 2023 | 17 MIN READ
HIDDENADS SPREAD VIA ANDROID GAMING APPS ON GOOGLE PLAY
Authored by Dexter Shin Minecraft is a popular video game that can be played on
a desktop...
Apr 26, 2023 | 6 MIN READ
FAKECALLS ANDROID MALWARE ABUSES LEGITIMATE SIGNING KEY
Authored by Dexter Shin McAfee Mobile Research Team found an Android banking
trojan signed with a key...
Apr 20, 2023 | 6 MIN READ
EXTORTION FRAUD IS STILL ON THE RISE
Authored by Lakshya Mathur and Sriram P McAfee Intelligence observed a huge
spike in extortion email frauds over...
Apr 18, 2023 | 7 MIN READ
GOLDOSON: PRIVACY-INVASIVE AND CLICKER ANDROID ADWARE FOUND IN POPULAR APPS IN
SOUTH KOREA
Authored by SangRyol Ryu McAfee’s Mobile Research Team discovered a software
library we’ve named Goldoson, which collects...
Apr 12, 2023 | 8 MIN READ
THE RISING TREND OF ONENOTE DOCUMENTS FOR MALWARE DELIVERY
Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M McAfee Labs has
recently observed a new Malware campaign which used...
Mar 30, 2023 | 11 MIN READ
THE RISE AND RISKS OF AI ART APPS
Authored by Fernando Ruiz The popularity of AI-based mobile applications that
can create artistic images based on...
Jan 25, 2023 | 7 MIN READ
FAKE SECURITY APP FOUND ABUSES JAPANESE PAYMENT SYSTEM
Authored by SangRyol Ryu and Yukihiro Okutomi McAfee’s Mobile Research team
recently analyzed new malware targeting mobile...
Nov 30, 2022 | 5 MIN READ
SCAMMERS FOLLOW THE REBRANDING OF TWITTER TO X, TO DISTRIBUTE MALWARE
Authored by: Vallabh Chole and Yerko Grbic On July 23rd, 2023, Elon Musk
announced that the social...
Jul 25, 2023 | 3 MIN READ
CLOP RANSOMWARE EXPLOITS MOVEIT SOFTWARE
Authored by: Abhishek Karnik and Oliver Devane You may have heard recently in
the news that several...
Jun 21, 2023 | 3 MIN READ
GULOADER CAMPAIGNS: A DEEP DIVE ANALYSIS OF A HIGHLY EVASIVE SHELLCODE BASED
LOADER
Authored by: Anandeshwar Unnikrishnan Stage 1: GULoader Shellcode Deployment In
recent GULoader campaigns, we are seeing a...
May 09, 2023 | 22 MIN READ
NEW WAVE OF SHTML PHISHING ATTACKS
Authored By Anuradha McAfee Labs has recently observed a new wave of phishing
attacks. In this wave,...
May 08, 2023 | 5 MIN READ
DECONSTRUCTING AMADEY’S LATEST MULTI-STAGE ATTACK AND MALWARE DISTRIBUTION
Authored by By Yashvi Shah McAfee Labs have identified an increase in
Wextract.exe samples, that drop a...
May 05, 2023 | 17 MIN READ
HIDDENADS SPREAD VIA ANDROID GAMING APPS ON GOOGLE PLAY
Authored by Dexter Shin Minecraft is a popular video game that can be played on
a desktop...
Apr 26, 2023 | 6 MIN READ
FAKECALLS ANDROID MALWARE ABUSES LEGITIMATE SIGNING KEY
Authored by Dexter Shin McAfee Mobile Research Team found an Android banking
trojan signed with a key...
Apr 20, 2023 | 6 MIN READ
EXTORTION FRAUD IS STILL ON THE RISE
Authored by Lakshya Mathur and Sriram P McAfee Intelligence observed a huge
spike in extortion email frauds over...
Apr 18, 2023 | 7 MIN READ
GOLDOSON: PRIVACY-INVASIVE AND CLICKER ANDROID ADWARE FOUND IN POPULAR APPS IN
SOUTH KOREA
Authored by SangRyol Ryu McAfee’s Mobile Research Team discovered a software
library we’ve named Goldoson, which collects...
Apr 12, 2023 | 8 MIN READ
THE RISING TREND OF ONENOTE DOCUMENTS FOR MALWARE DELIVERY
Authored By Anandeshwar Unnikrishnan,Sakshi Jaiswal,Anuradha M McAfee Labs has
recently observed a new Malware campaign which used...
Mar 30, 2023 | 11 MIN READ
THE RISE AND RISKS OF AI ART APPS
Authored by Fernando Ruiz The popularity of AI-based mobile applications that
can create artistic images based on...
Jan 25, 2023 | 7 MIN READ
FAKE SECURITY APP FOUND ABUSES JAPANESE PAYMENT SYSTEM
Authored by SangRyol Ryu and Yukihiro Okutomi McAfee’s Mobile Research team
recently analyzed new malware targeting mobile...
Nov 30, 2022 | 5 MIN READ
Next
* 1
* 2
* 3
Back to top
*
*
*
*
*
--------------------------------------------------------------------------------
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA
Products
McAfee+
McAfee® Total Protection
McAfee Antivirus
McAfee Safe Connect
McAfee PC Optimizer
McAfee Techmaster
McAfee Mobile Security
Resources
Antivirus
Free Downloads
Parental Controls
Malware
Firewall
Blogs
Activate Retail Card
McAfee Labs
McAfee Enterprise
Support
Customer Support
FAQs
Renewals
Support Community
About
About McAfee
Careers
Contact Us
Newsroom
Investors
Legal Terms
Your Privacy Choices
System Requirements
Sitemap
--------------------------------------------------------------------------------
United States / English Copyright © 2023 McAfee, LLC
United States / English Copyright © 2023 McAfee, LLC
✓
Thanks for sharing!
AddToAny
More…