280 Android Apps Infected with SpyAgent Stealing Crypto Wallet Data via Images

By Riley ThompsonTechnology News

280 Android Apps Infected with SpyAgent Malware Stealing Data from Images

Security analysts at McAfee have discovered that at least 280 Android apps are infected with the SpyAgent malware. Hackers are using optical character recognition (OCR) technology to steal recovery phrases for cryptocurrency wallets from victims’ screenshots.

How SpyAgent Targets Crypto Wallets

A recovery phrase (also known as a seed phrase) is a series of 12-24 words that serves as a backup key for a cryptocurrency wallet. These phrases are used to restore access to a crypto wallet and its funds in case of device loss, data corruption, or transferring the wallet to a new device.

Because seed phrases are long and hard to memorize, users are often advised to write them down or store them securely. However, many people take screenshots of their seed phrases and save them as images on their devices. SpyAgent’s creators have exploited this behavior by using OCR to extract seed phrases from images stored on Android devices.

Distribution and Tactics

McAfee researchers found at least 280 malicious APKs containing SpyAgent, distributed outside of Google Play via SMS and social media messages. Some of these apps impersonate legitimate government services in South Korea and the UK, official banking apps, dating apps, and adult sites. While SpyAgent mainly targets users in South Korea, experts note that the threat has recently spread to the UK as well.

What SpyAgent Steals

Once a device is infected, SpyAgent sends the following information to its command-and-control server:

  • The victim’s contact list (likely for further malware distribution via SMS)
  • Incoming SMS messages, including one-time passwords
  • Images stored on the device for OCR scanning
  • General device information

SpyAgent can also receive commands from its operators to change the device’s sound settings or send SMS messages, likely to spread phishing messages and propagate the malware.

Server Vulnerabilities and Data Handling

Researchers found that SpyAgent’s operators did not secure their servers properly, allowing analysts to access the admin panel and files stolen from victims. On the server side, stolen images are processed and scanned using OCR, then organized in the admin panel, making it easy for hackers to manage and use them to compromise crypto wallets.

Ongoing Development and iOS Version

The report also notes that the malware’s developers are continually improving SpyAgent to better hide its malicious functionality. Obfuscation techniques include string encoding, adding irrelevant code, and renaming functions and variables. Researchers also found signs that an iOS version of SpyAgent is in development.

Not the First OCR-Based Malware

This is not the first malware to use OCR for stealing information from images. For example, last year, Trend Micro researchers discovered Android malware CherryBlos and FakeTrade, which also used OCR and even managed to infiltrate the official Google Play store.

Leave a Reply