S0305: SpyNote RAT
SpyNote RAT (Remote Access Trojan) is a family of malicious Android apps. The SpyNote RAT builder tool can be used to develop malicious apps with the malware's functionality. [1]
Analyst context for executives and security teams
SpyNote RAT is an Android malware family and builder-associated remote access trojan capability. For leaders, its significance is not just “mobile malware”; the ATT&CK relationships show behavior that can turn an employee phone into a source of audio, location, contacts, SMS messages, and local data, with Android event-based persistence via broadcast receivers. That makes it relevant to executive privacy, mobile identity risk, regulated data exposure, incident scoping, and cyber-physical concerns where device location or conversations could affect operations.
Executive priority
Prioritize validation of mobile security visibility for Android devices that access business systems. The key business question is whether the organization can identify risky or malicious Android apps requesting sensitive permissions, preserve evidence during a mobile incident, and enforce mobile access controls before exposed contacts, SMS content, local files, microphone access, or location data become an incident-management problem. This is especially important for BYOD, executives, field staff, and users with privileged access.
Technical view
ATT&CK provides no official detection text for SpyNote RAT, so SOC and IR teams should build coverage around the related Android behaviors: audio capture requiring microphone-related permissions, location access permissions, access to local system or external storage data, broadcast receiver persistence, contact list access, and SMS access. Validate whether mobile device management, mobile threat defense, endpoint telemetry, app inventory, and Android application analysis can surface suspicious permission combinations, newly installed unknown apps, apps posing as trusted brands, and persistence-related broadcast receiver registrations.
Likely telemetry
- Android app inventory and installation source history
- Android application manifest permissions, including microphone, location, contacts, SMS, and storage-related permissions
- Mobile device management or mobile threat defense alerts for suspicious apps or risky permission combinations
- Android package metadata, signing information, app name, version, and update history
- Evidence of broadcast receiver registration or event-triggered execution behavior where available
Detection direction
- Because ATT&CK does not provide a SpyNote-specific detection method, validate behavior-based coverage rather than relying only on a malware name.
- Tune detections for Android apps that request multiple sensitive permissions aligned to the related techniques: RECORD_AUDIO, location permissions, contacts access, SMS access, and storage or local data access.
- Review app provenance and brand impersonation risk, as the supplied reference describes SpyNote RAT posing as a Netflix app.
- Correlate suspicious permissions with installation source, user role, device ownership model, and whether the app is required for business use to reduce false positives.
- Check whether tools can detect or analyze broadcast receiver usage for persistence on Android; this is a common blind spot if mobile controls only report installed app names.
Mitigation priorities
- Establish or validate Android app governance for managed and BYOD devices that access enterprise resources.
- Restrict enterprise access from unmanaged or noncompliant Android devices where business risk warrants it.
- Use mobile device management or mobile threat defense controls to inventory apps, monitor high-risk permissions, and remove or block suspicious applications.
- Apply least-privilege access principles for mobile users, especially executives, administrators, and staff handling regulated or sensitive data.
- Educate users to scrutinize unexpected permission requests and apps obtained outside approved channels, while avoiding reliance on user reporting as the only control.
Analyst notes and limits
This take is based only on the supplied ATT&CK software object, its external references, and its relationships to mobile techniques. The most decision-relevant relationships are Audio Capture, Location Tracking, Data from Local System, Broadcast Receivers, Contact List, and SMS Messages. The supplied object does not specify ATT&CK tactics or aliases and provides no official detection guidance.
The ATT&CK entry identifies SpyNote RAT as Android malware and lists related behaviors, but it does not provide indicators, command-and-control details, current campaign information, prevalence, attribution, or validated detections. Local mobile telemetry, device ownership model, app inventory quality, and legal/privacy constraints will determine how actionable this is in a specific environment.
SpyNote RAT
SpyNote RAT (Remote Access Trojan) is a family of malicious Android apps. The SpyNote RAT builder tool can be used to develop malicious apps with the malware's functionality. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | SpyNote RAT uses an Android broadcast receiver to automatically start when the device boots.CitationZscaler-SpyNote |
| Mobile | T1430 | Location Tracking | SpyNote RAT collects the device's location.CitationZscaler-SpyNote |
| Mobile | T1636.003 | Contact List Sub-technique | SpyNote RAT can view contacts.CitationZscaler-SpyNote |
| Mobile | T1533 | Data from Local System | SpyNote RAT can copy files from the device to the C2 server.CitationZscaler-SpyNote |
| Mobile | T1429 | Audio Capture | SpyNote RAT can activate the victim's microphone.CitationZscaler-SpyNote |
| Mobile | T1636.004 | SMS Messages Sub-technique | SpyNote RAT can read SMS messages.CitationZscaler-SpyNote |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 1b3248628e3d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Zscaler-SpyNote
Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.
Open source URL -
[2]
SpyNote RAT
(Citation: Zscaler-SpyNote)
-
[3]
mitre-attack S0305Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.