SpyMax RAT

Many cybercriminals are trying to cash in on the panic and fear surrounding the Coronavirus (also known as COVID-19) outbreak. Cyber crooks are rather creative when it comes to exploiting innocent users online. One of the latest threats affiliated with the COVID-19 pandemic is the SpyMax RAT (Remote Access Trojan).

spymax app permissions
SpyMax application permission screens – Source: Lockout.com Blog

The SpyMax RAT is believed to originate from cyber crooks operating from Libya. In the past, state-sponsored actors have launched operations similar to the SpyMax RAT campaign. However, in this case, malware analysts believe that the attackers are not associated with any state. This RAT masquerades as a helpful tool that will aid users in following the latest news regarding the Coronavirus. The SpyMax RAT imitates a legitimate tool that has gained traction the past few months – the 'Corona Live' tool developed and ran by the Johns Hopkins University. However, the SpyMax RAT is in no way affiliated with the legitimate tool provided by the Johns Hopkins University. It is not yet clear how exactly the SpyMax RAT is being propagated since the fake application carrying the threat is not hosted on the official Google Play Store. The operators of the SpyMax RAT may be spreading it via text messages or on a third-party website hosted by the attackers.

spymax pricing
SpyMax pricing and features screen – Source: Lockout.com Blog

The SpyMax RAT is a modified variant of the popular SpyMax spyware, which is available for free online. The SpyMax spyware was created by the creators of SpyNote, another commercial surveillanceware, which can be used to access a variety of sensitive data on a victim's phone. It also provides the attackers with a shell terminal and the ability to activate the device's microphone and camera.

spymax admin console screen
SpyMax admin console management – Source: Lockout.com Blog

List of SpyNote permissions:


SpyMax RAT Puts Android Devices in Its Crosshairs

The SpyMax RAT targets users with Android versions from the most recent to as old as Gingerbread (2.3.3). The same attackers that use the SpyMax RAT in their Middle Eastern surveillance campaigns have also been spotted using a variety of different spyware programs, including SpyNote, SandroRat, Mobihok, and SonicSpy.

icons from bogus surveillance app
App icons from pretend surveillance campaign - Source: Lockout.com Blog

SpyNote and SpyMax share the similarity that they have both been used in COVID-19 related campaigns, in which they masquerade as the "corona live 1.1" tracker application, trying to exploit the fears of people who want to keep track of the spread of the deadly disease.

Although the bogus tracker app is still in development, it stores command and control (C2) information, including the address of the attackers' server. Starting from there, researchers were able to find 30 unique Android application packages (APKs) that share the same infrastructure and appear to be part of a larger surveillance campaign that's been ongoing since at least April 2019.

Researchers can't say for sure if the effort, which is mainly aimed at the Middle East, is state-sponsored, but countries in the region have been using out-of-the-box surveillance tools in the past.

Many countries around the world have pushed for more surveillance amidst the current COVID-19 pandemic, which is why it's even more important to be able to differentiate whether you're being tracked by the government or by hackers.

Currently, governments from around the globe are making apps that offer coronavirus health information and tracking. Moreover, such apps are sharing location information that is vital to authorities. However, countries are implementing different methods of pitching their tracking apps where some may be forced to download an app if they are caught breaking local quarantine guidelines. Such a measure may be seen as rather aggressive and disturbing. The idea of privacy infringing and violation of privacy protection laws comes into play in such sensitive cases.

Whatever the case, you should make sure that your device is protected against threats like the SpyMax RAT by installing a reputable anti-virus application compatible with your version of Android.


Most Viewed