be careful of this virus that hides in certain pirated applications

Android malware has been spotted in a fake volcano eruption public alert app in Italy. It could suck up certain data, particularly identification data for sensitive applications. But be careful, because this virus is becoming more and more widespread, through other applications.

In France, there is FR-Alert, an emergency alert system in France. The Italians also have the same service, called… IT-Alert, without much surprise. Unfortunately, hackers took over this name to publish a fake volcano eruption alert app, which turned out to be a malware.

IT-Alert: the Italian alert service hijacked

IT-Alert is therefore a real public service, managed by the Italian government and the local civil protection department. It is he who provides emergency alerts and advice to the population in the event of disasters: fires, floods, earthquakes, etc. Unlike mainland France, there are also volcanic eruption alerts.

It is from this service that a fake IT-Alert site was set up. It prided itself on warning of the risks of volcanic eruptions and invited visitors to download an application on their smartphone. For iOS devices, users were redirected to the real IT-Alert site. But for Android device owners, downloading an APK file “ IT-Alert.apk » was launched.

This is the installation file for an application, which can be used to avoid going through the Play Store, where applications are checked beforehand. Enough to slip through the cracks of Google for pirates. This site was spotted by Italian cybersecurity experts D3Lab.

SpyNote: one malware which evolves and which continues to rage

The problem was that inside this APK file, there was a malware, named SpyNote. Since the fake application can access accessibility settings, it also gives rights to SpyNote. This allows the latter to perform numerous actions on victims’ smartphones.

This is how SpyNote can steal credentials from applications: banks, cryptocurrencies, social networks, etc. This virus can also record cameras, track GPS location, record keystrokes or even take screenshots and intercept phone calls.

As told Bleeping Computer, we have known about SpyNote on Android since 2022. Two major releases later, it continues to be sold between hackers, notably via private channels on Telegram, which offer secure pseudonymity for its users. This third version is still rampant since a ThreatFabric report was published in early 2023: it reports an increase in the number of SpyNote detections on smartphones.

An increase in hacking due to the leak of the source code of a modified version, named CypherRat. It is thanks to this source code that several variants have been created, making it possible to target banking applications, social networks or messaging services. 10 months later, it’s F-Secure’s turn to sound the alarm: SpyNote detections are skyrocketing.

How to protect yourself from the dangers of this virus?

To protect yourself from the dangers of this malware, we advise you not to download and install APK files on your Android device. Download apps through secure app stores, like the Play Store.

A Google spokesperson reminded Bleeping Computer that no application in the Play Store is infected by SpyNote. He added that Google had put additional protections in place before F-Secure’s report was released.

Additionally, the Google Play Protect feature can warn users or block apps if they behave suspiciously. To take advantage of this, make sure Google Play Services is activated and up to date. Be careful though: this solution is not infallible, like all security solutions.