Android device users in South Korea have been targeted by a new mobile malware campaign, which introduces a novel threat called SpyAgent.
SpyAgent: What is this malware and what does it do?
SpyAgent malware “targets mnemonic keys by scanning images on the device that may contain them“, has explained McAfee Labs researcher SangRyol Ryu, in an analysis, adding that the scope of the threat has widened to include the UK.
The campaign uses fake Android applications (for a change…) disguised as seemingly legitimate apps from banking services, government facilities, streaming platforms and utilities, with the intent of tricking users into installing them; Since the beginning of the year, up to 280 fake apps (some of which imitate real ones) have been detected.
The process begins with sending SMS messages containing deceptive links that urge users to download apps in the form of APK files hosted on fraudulent sites and once installed, these apps ask for invasive permissions to collect data from the devices.
The collected data includes contacts, SMS messages, photos, and other device information, which is then exfiltrated to an external server controlled by cybercriminals.
Malware SpyAgent and its peculiar features
The most notable feature of the malware is its ability to exploit optical character recognition (OCR) to steal mnemonic keys, which refers to a recovery phrase or seed phrase that allows users to regain access to their cryptocurrency wallets.
Unauthorized access to these keys would allow attackers to take control of victims’ wallets and steal all funds stored in them.
McAfee Labs reported that the malware’s command and control (C2) infrastructure It had serious security vulnerabilities that allowed not only access to the site’s main directory without authentication, but also exposed data collected from victims.
The server also hosts an administrative panel that acts as a command center to remotely control infected devices and the presence of an Apple iPhone device with iOS 15.8.2 and the system language set to Simplified Chinese (“zh”) inside the panel suggests that iOS users could also be targeted.
SpyAgent Malware: Its Origin
“Originally, the malware communicated with the C2 server via simple HTTP requests.“, Ryu said. “While this method was effective, it was also relatively easy to track and block by security tools.“.
Ryu then added: “In a significant tactical shift, the malware has now adopted WebSocket connections for its communications. This update enables more efficient, real-time, two-way interactions with the C2 server and helps avoid detection by traditional HTTP-based network monitoring tools.”
The development comes just over a month after Group-IB disclosed another Android remote access trojan (RAT) called CraxsRATwhich has been targeting banking users in Malaysia since at least February 2024, using phishing websites; It is therefore worth noting that CraxsRAT campaigns had already been detected previously with targets in Singapore, no later than April 2023..
“CraxsRAT is a notorious Android Remote Administration Tools (RAT) malware family that includes remote device control and spyware capabilities, including keylogging, gesture execution, video, screen and call recording.“, has declared the Singapore company, concluding: “Victims who download apps containing the CraxsRAT Android malware will have their credentials stolen and their funds illegitimately withdrawn..”
#SpyAgent #Android #Malware #Steals #Cryptocurrency
