SpyMax Variant Targeting Chinese-Speaking Users

In early 2025, our threat intelligence team analyzed a highly sophisticated Android spyware disguised as the official application of the Chinese Prosecutor’s Office (检察院). What we uncovered was a deeply invasive mobile surveillance tool—an advanced variant of the SpyMax/SpyNote family—targeting Chinese-speaking users across mainland China and Hong Kong.

🎯 What Makes This Threat Stand Out?

Unlike typical Android malware, this campaign exploits Android Accessibility Services using polished social engineering techniques and deceptive UI elements. Once granted permissions, the spyware gains near-total control of the device—accessing messages, calls, GPS data, the camera, microphone, and more.

🧬 Technical Overview

APK Name: 检察院 (Chinese Prosecutor’s Office)

MD5: cc7f1343574f915318148cde93a6dfbc

Detection Date: April 4, 2025

Distribution: Fake official app via third-party stores

The malware’s modular design includes components for:

Command execution via Runtime APIs
Camera/mic control (even with screen off)
Data exfiltration over encrypted HTTPS
Dynamic behavior triggered by system states (screen/battery/network)
It stores stolen data in categorized files, encrypts them, and wipes traces after transmission.

📱 Critical Permissions Abused

This spyware requests an alarming set of permissions—ranging from SMS and camera access to silent app installation and system overlay control. Together, these enable:

Full surveillance
Phishing overlay attacks
Unauthorized transactions and premium SMS fraud
Location tracking and data leakage

🕵️ Social Engineering in Action

The most chilling part? The attackers designed a fully interactive HTML interface to impersonate Android’s accessibility settings page—complete with animated buttons and official-looking layouts—to convince users to grant critical permissions.