With Google warning that Chrome is under attack, it is not surprising that its 3 billion users are primed to keep their browsers updated. But be warned — sometimes the update can be more dangerous than the vulnerabilities it’s meant to fix.
So it is with a new report from DomainTools, warning that “deceptive websites hosted on newly registered domains are being used to deliver AndroidOS SpyNote malware. These sites mimic the Google Chrome install page on the Google Play Store to lure victims into downloading SpyNote, a potent Android remote access trojan (RAT).”
We have been here before. Google Chrome has proven a particularly enticing honeypot for cybercriminals looking to trick Android users into downloading malware. Users are frequently told only to install and update apps from Play Store, and so it’s especially concerning that the new websites mimic Play Store’s own Chrome page.
As the cybersecurity team at Cyfirma explain, “SpyNote first emerged in 2020. Since its inception, it has become one of the most prevalent malware families targeting Android devices… Researchers have identified over 10,000 samples of SpyNote.”
Masquerading as fake updates and installs is the common way in which SpyNote tricks its way onto phones. Once there, it can be used for “surveillance, data exfiltration, and remote control.” It can also be primed to search for digital wallets to steal crypto, as well as targeting valuable financial security credentials.
The new websites “include an image carousel displaying screenshots of mimicked Google Play app pages. These images are loaded from “bafanglaicai888[.]top.” another suspicious domain suspected to be owned by the same actor. The carousel provides a visual aspect to enhance the illusion of a legitimate app page.”
The attacks are likely developed in China and exploit Chinese top-level domains. DomainTools warns that on installation, SpyNote “aggressively requests numerous intrusive permissions, gaining extensive control over the compromised device. This control allows for the theft of sensitive data such as SMS messages, contacts, call logs, location information, and files. SpyNote also boasts significant remote access capabilities, including camera and microphone activation and call manipulation.”
SpyNote can also steal two-factor authentication (2FA) codes, remotely wipe a phone and pull additional malware onto the device. It is, the researchers say, “a significant threat to individuals and organizations targeted by these deceptive campaigns.”
The URLs tagged in the latest campaign are as follows:
- pknby[.]top
- jygst[.]top
- dacmj[.]top
- mkstq[.]top
- sakiw[.]top
- fdtya[.]top
- hgcks[.]top
- npkms[.]top
- kmyjh[.]top
- kyudfsaugsda[.]top
- bafanglaicai888[.]top
Those in the U.S. might be familiar with the .TOP domain as it’s used heavily in the plague of road toll smishing scams now targeting iPhone and Android users.
The Anti-Phishing Working Group (APWG) warns China’s .TOP domain “has a notable history of being used by phishers.” This has resulted in the .TOP Registry’s long-running compliance problems. ICANN issued a breach letter to .TOP Registry in July 2024, citing .TOP’s failures to comply with abuse reporting and mitigation requirements, and as of March 2025 the case is still listed as unresolved on ICANN’s Web site.”
Advice for users is simple — whether on Android or any other device. Only ever update Chrome from within the app or from the official app store you use. Access that store directly and never through a link in an email, message or post.
