The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and Europol’s European Cybercrime Centre (EC3) have released a joint Cybersecurity Advisory (CSA). The advisory details a campaign using spyware and Remote Access Trojans (RATs) to target users of popular messaging applications.

The malicious campaign, active since at least February 2023, specifically targets Android mobile device users through trojanized versions of WhatsApp and Signal applications.

Attack Methodology: Fake Websites and Malicious APKs

Threat actors established malicious websites designed to impersonate the official download pages for Signal and WhatsApp. These fraudulent sites hosted malicious Android Package Kit (APK) files for download. When users installed these trojanized applications, their devices were infected with spyware designed to operate in the background and exfiltrate sensitive data.

The joint advisory identified two primary malware families being deployed in this campaign: SpyNote (also known as SpyMax) and CypherRAT.

Malware Capabilities and Data Exfiltration

Once installed on a victim’s device, the malware requests extensive permissions to access device functions and data. The SpyNote malware was observed with capabilities to extract and exfiltrate contacts, call logs, and SMS messages. It could also record audio, take pictures with the device’s camera, record the screen, and make calls.

The CypherRAT malware demonstrated a similar range of intrusive functions, including keylogging to capture user input, stealing banking credentials, and exfiltrating contact lists and text messages. Additionally, CypherRAT could take photos, record audio, and track the device’s physical location. The advisory provided Indicators of Compromise (IOCs) to help network defenders detect related activity.

To mitigate these threats, the agencies advise users to download applications exclusively from official sources like the Google Play Store and Apple’s App Store, carefully review all requested application permissions, use mobile security software, and keep operating systems and applications updated.