New SpyAgent Malware Targets Android Users to Steal Crypto Wallet Recovery Keys Using OCR Technology
A new mobile malware campaign has emerged, targeting Android device users in South Korea, with the introduction of a sophisticated threat known as SpyAgent. This malware employs advanced techniques, including Optical Character Recognition (OCR), to scan for and steal mnemonic keys, which are essential for recovering cryptocurrency wallets.
According to McAfee Labs researcher SangRyol Ryu, the malware's targeting has expanded beyond South Korea to include users in the U.K. The campaign primarily utilizes counterfeit Android applications masquerading as legitimate banking, government, streaming, and utility apps, tricking users into downloading them. Since the beginning of the year, approximately 280 fake applications have been identified.
The attack typically begins with SMS messages containing malicious links that prompt users to download the apps as APK files from deceptive websites. Once installed, these apps request extensive permissions to access sensitive data on the device, including contacts, SMS messages, and photos. This information is then exfiltrated to a server controlled by the threat actors.
One of the most alarming features of SpyAgent is its ability to utilize OCR technology to capture mnemonic keys, which are recovery phrases that allow users to regain access to their cryptocurrency wallets. If threat actors gain unauthorized access to these keys, they can take control of the victims' wallets and drain their funds.
McAfee Labs has noted significant security vulnerabilities in the command-and-control (C2) infrastructure used by the malware. These lapses not only allow unauthorized navigation to the site's root directory but also expose the collected victim data. The server includes an administrator panel that enables remote control of infected devices. Interestingly, an Apple iPhone running iOS 15.8.2 with its language set to Simplified Chinese was found in the panel, suggesting potential targeting of iOS users as well.
Initially, the malware communicated with its C2 server through basic HTTP requests, a method that was effective but easily detectable by security tools. However, in a strategic shift, the malware has transitioned to using WebSocket connections for communication. This upgrade facilitates more efficient, real-time interactions with the C2 server and helps evade detection by conventional HTTP-based monitoring tools.
This development follows a recent report by Group-IB, which revealed another Android remote access trojan (RAT) named CraxsRAT, targeting banking users in Malaysia since at least February 2024 through phishing websites. CraxsRAT has also been linked to campaigns targeting users in Singapore as early as April 2023.
CraxsRAT is known for its remote device control and spyware capabilities, including keylogging, gesture performance, and recording of cameras, screens, and calls. Victims who inadvertently download apps containing CraxsRAT face the risk of credential leakage and unauthorized fund withdrawals.