It looks like an official app, but your data is already leaking to hacker-controlled servers.
A new generation of mobile spyware, linked to the SpyMax/SpyNote malware family, has been uncovered by ThreatMon researchers during the analysis of a cyber-espionage campaign targeting Chinese-speaking users. The malicious app disguises itself as an official application of the Chinese Prosecution Service and spreads via fake app stores. The primary focus of the attack is users in mainland China and Hong Kong.
The standout feature of this newly discovered version is its exploitation of Android Accessibility Services, allowing the malware to bypass security restrictions and gain access to a wide range of device features. This is combined with advanced social engineering tactics and a convincing user interface that mimics legitimate government software.
Once installed, the app requests a wide range of system permissions. Upon obtaining them, it gains near-complete control over the device. The malicious code can intercept messages, track location, activate the microphone and camera — including secretly recording while the screen is off. Researchers note the high level of access enables long-term covert surveillance and data theft.
Analysis revealed that the malicious APK (MD5 hash: cc7f1343574f915318148cde93a6dfbc) was first detected on April 4, 2025. It features a modular architecture, including components for executing commands via Runtime API, controlling the camera and microphone, transmitting data via encrypted HTTPS connections, and activating different features depending on screen state, battery level, or network activity. The data is categorized, encrypted, and self-deleted from the device after transmission.
The app requests dangerous permissions such as access to SMS, silent app installations, system overlay management, and more — enabling total control over the smartphone. This combination allows attackers not only to spy on users but also to manipulate app interfaces, perform unauthorized payments, connect to premium services, and leak sensitive data.
A particularly dangerous feature is the fake Android Accessibility settings interface, created by the attackers. It’s an HTML page with animations and UI elements identical to the real settings, tricking users into granting critical permissions.
To detect this threat, researchers developed a custom YARA rule and compiled a list of Indicators of Compromise (IOCs). These include:
- Command and control IP: 165.154.110.64
- A characteristic pattern of ICMP ping requests
- Encrypted network communications
- Suspicious file storage paths
- Unique application components
Security recommendations include:
- Strengthening mobile device protection through MDM policies
- Blocking known IOCs at the firewall level
- Regular employee training on mobile phishing and fake apps
- Network segmentation for mobile devices
- Monitoring for background anomalies
This case highlights the advancing sophistication of mobile threats and how attackers leverage both platform-level capabilities and social engineering to bypass built-in protections. Enhancing mobile cyber hygiene is now a critical defense measure — not just for businesses, but for everyday users as well.