SpyMax (Spyware) – Malware

Overview

SpyMax is a formidable Remote Access Tool (RAT) designed to target Android devices, particularly focusing on users of the Telegram messaging app. This malware, distributed through deceptive phishing campaigns, masquerades as a legitimate application, enabling it to evade detection and gain unauthorized access to sensitive information. By leveraging advanced techniques, such as disguising itself as the Telegram app and exploiting Android’s Accessibility Service, SpyMax can collect a wide range of personal data, including keystrokes and location information, which it then transmits to a remote command-and-control server. Its stealthy operation and sophisticated data exfiltration capabilities make SpyMax a significant threat to user privacy and device security.

Targets

Individuals

How they operate

Once SpyMax is installed and granted necessary permissions, it activates its keylogging capabilities. The malware creates a directory on the device’s external storage to log keystrokes in a file named log-yyyy-mm-dd.log, where the date is appended to track keystroke activity. This logging mechanism captures sensitive information such as login credentials and personal messages. Furthermore, SpyMax gathers comprehensive location data including altitude, latitude, longitude, and speed, which provides the threat actor with real-time tracking capabilities. This data is crucial for understanding the victim’s movements and activities.

The collected data is then compressed using the gZIPOutputStream API to reduce its size and obfuscate its nature. SpyMax establishes a connection with its Command and Control (C2) server using the obfuscated IP address 154.213.65[.]28 on port 7771, which is non-standard to evade detection. Once the connection is established, the malware sends the gzip-compressed data to the C2 server, ensuring that the exfiltrated information remains hidden from conventional monitoring tools. The C2 server responds with further instructions and payloads, which are also delivered in a compressed format. These commands and additional APK files are extracted and executed on the infected device, potentially leading to further malicious activities.

MITRE Tactics and Techniques

Defense Evasion:

Obfuscated Files or Information (T1027): SpyMax uses obfuscation techniques to conceal its true nature from detection mechanisms.
Virtualization/Sandbox Evasion (T1497): The malware evades detection by avoiding analysis in virtualized or sandbox environments.

Discovery:

Security Software Discovery (T1063): SpyMax identifies security solutions on the device to circumvent their detection capabilities.
System Information Discovery (T1082): The malware gathers detailed information about the system to enhance its functionality and tailor its actions.

Collection:

Data from Local System (T1005): SpyMax collects sensitive information from the device, including keystrokes and location data.

Command and Control:

Encrypted Channel (T1573): SpyMax secures its communications with the Command and Control (C2) server using encryption.
Non-Standard Port (T1433): The malware uses a non-standard port to communicate with its C2 server, making detection and blocking more challenging.

References:

• SpyMax – An Android RAT targets Telegram Users