April 10, 2025 By Duncan Riley
A new report out today from internet intelligence company DomainTools LLC warns that threat actors are using newly registered domains to deliver the SpyNote Android remote access trojan via sites that mimic Google Play app installation pages.
In trying to imitate legitimate Google Play app listings, the cloned pages often feature image carousels and familiar visual elements to create the illusion of legitimacy, prompting unsuspecting users to download malicious APK files. One example mimicked the TikTok installation page, using remnants of older app references such as “com.zhiliaoapp.musically” in the site code.
The downloaded files include variants of SpyNote, an Android RAT capable of conducting surveillance, harvesting sensitive data and executing remote commands on compromised devices. Spynote first appeared in 2016 and has popped up in various campaigns over the years, including one targeting Netflix Inc. users in 2017.
The SpyNote malware is delivered in a two-stage process: An initial dropper APK installs a second embedded APK that houses the core spyware functionality. DomainTools found that the dropper uses JavaScript to create a hidden iframe that silently initiates the download process when a user clicks the fake install button.
