Android/SpyNote bypasses Restricted Settings + breaks many RE tools

Today, I reversed an Android spyware with multiple tricks. The malware has been discovered by @malwrhunterteam 2 days ago.

AbstractThe malware bypasses Android 13 Restricted Settings by using a session-based package installer to load a second (malicious) APK, which is stored locally in the assets.The second APK uses a malformed ZIP which breaks most automatic unzipping tools. It is packed with JsonPacker but, because of bad ZIP, the payload must be retrieved more or less manually.The malicious payload reveals …

android android 13 android spyware apk assets installer locally malformed malicious malware malware analysis package restricted session settings spynote spyware today tools zip