Understanding an Espionage Trojan called SpyNote RAT

The following information was obtained from the different cyber security sources and provided as a notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

The information provided is classified as Restricted pursuant to the PNP Regulation 200-012 on document security with impact rating of significant and threat rating of high, based on PNP Information and Communications Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.


An espionage trojan called SpyNote RAT has been found masquerading as the popular Netflix app, to trick Android users into downloading it. It then sets about constantly eavesdropping on user activity.

Zscaler’s ThreatlabZ said that once installed, the malware is capable of activating the device’s microphone and listening to live conversations; uninstalling antivirus software; copying files from the device to the hacker’s server; recording screen captures; viewing contacts; reading SMS messages; and gaining remote control of the device. To the latter point, command execution can create havoc for victim if the malware developer decides to execute commands in the victim’s device. Leveraging this feature, the malware developer can root the device using a range of vulnerabilities, well-known or zero-day.

“The spyware in this analysis was portraying itself as the Netflix app. Once installed, it displayed the icon found in the actual Netflix app on Google Play,” researchers explained, in an analysis. “As soon as the user clicks the spyware’s icon for the first time, nothing seems to happen and the icon disappears from the home screen. This is a common trick played by malware developers, making the user think the app may have been removed. But, behind the scenes, the malware has not been removed; instead it starts preparing its onslaught of attacks.”

SpyNote RAT also uses an unusual trick to make sure that it remains up and running and that the spying does not stop. It uses something called BootComplete, which is a broadcast receiver—an Android component that can register itself for a particular event. In this case, whenever the device is booted, BootComplete gets triggered. BootComplete then starts the AutoStartup service, which can perform long-running operations in the background and does not need a user interface. And then the AutoStartup service makes sure that the RAT’s core functionality is always running.


The community is advised to follow the best practices listed for securing and protecting information whether for personal use or for work:

• If you don't know what it is, don't install it;
• Only install from Google Play or other reputable app stores;
• Uncheck "Install from unknown sources";
• Run some kind of threat prevention software; and
• Have a great backup of your data ready in case you need it.

For additional information, please refer to the following security websites:



Please contact CSRAD, PNP ACG for any inquiries related to this CYBER SECURITY BULLETIN at and This email address is being protected from spambots. You need JavaScript enabled to view it. or call 7230401 local 5337.