Untold number of Android users duped by dangerous SpyNote trojan

Image by Bing Image Generator (Powered by Dall.E 3), Prompt: A smartphone being held by somebody and there is a dangerous notification on the screen, in a flat style, infographic-like, on a white background
(Image credit: N/A)

As an update to this piece, a Google representative has informed us that Google Play Protect is aware of the core SpyNote threat and users are protected against its installation.  "Google implemented user protections for this spyware ahead of this report's publication. Users are protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services." You can read more about Google Play Protect's new real-time scanning feature for unknown applications here.

Android users have been put on spyware high-alert as a banking trojan by the name of SpyNote has recently returned to the limelight.

The Android-based malware has been a background security threat for users since 2022. However, now in its third revision and with source code of of one of its variants (known as 'CypherRat') having leaked online in January of 2023, detections of this spyware have spiked throughout the year.

SpyNote isn't like many of the threats Android users face. You won't find it tucked away inside of an innocuous app on the malware infected hellscape that is Google Play — at least not for now.

Instead, its primary method of spreading is through 'Smishing' or SMS phishing. These SMS messages can range from government updates to social media alerts with links to malicious apps. Here users will be misled into downloading an Android Package file (.APK), that works outside of the Google Play Store to infect a device and begin it's nefarious deeds.

SpyNote: What does it do?

As stated, SpyNote's primary method of infection is through SMS phishing attacks. However, variants of the spyware do exist and its methods of infection may evolve over time.

If you're unlucky enough to fall foul of these attempts, the third-party app (while posing as an official update or legitimate service) tricks the user into accepting various permissions — after which, it will hide itself from view and begin to work behind the scenes at collecting user data in the following ways.

  • Audio recording: Including microphone access and phone calls.
  • Camera recording: Being able to access a victims camera for pictures or video.
  • Keylogging: Recording every input and tap you make on your device.
  • Credential theft: Stealing user logins (usernames, passwords, passkeys, and more) by intercepting banking, crypto wallets, and social media apps.
  • Screen recording: Through screenshot captures and device streaming.
  • GPS tracking: Accessing location services to track a victims location.

SpyNote: Do I have it, and how do I remove it?

SpyNote's presence is hard to detect, and even harder to remove. If you've accessed a link to an app through SMS at any point, one of the ways you can tell if SpyNote is present on your device is by seeing if it reacts to you opening your device's Settings menu.

The purpose of any piece of spyware is to collect as much information as possible, as such it needs to stay on the device for as long as possible. One of SpyNote's methods of ensuring this is to repeatedly close the settings menu whenever it is opened — preventing users from uninstalling the third-party app through the usual menus.

Amit Tembe, a researcher at security firm F-Secure, SpyNote is a particularly difficult piece of software to remove from your device "often necessitating a factory reset, resulting in data loss."

Sadly, this seems like it's often the best way of removing the troublesome spyware from your system, before changing any and all logins you may use afterwards to prevent the spread, sale, and use of your credentials without permission.


SpyNote's pervasive pilfering of your information runs incredibly deep. Meaning removing it from your phone will be only half the journey when it comes to recovering from its effects.

As always, to avoid instances like this, Laptop Mag recommend only downloading apps through verified channels such as the Google Play Store. While it might not be perfect and security vulnerabilities will happen from time to time. It's the much safer alternative to downloading third-party Android Packages (.APKs) that bypass Google's security steps altogether.

Rael Hornby
Content Editor

Rael Hornby, potentially influenced by far too many LucasArts titles at an early age, once thought he’d grow up to be a mighty pirate. However, after several interventions with close friends and family members, you’re now much more likely to see his name attached to the bylines of tech articles. While not maintaining a double life as an aspiring writer by day and indie game dev by night, you’ll find him sat in a corner somewhere muttering to himself about microtransactions or hunting down promising indie games on Twitter.