SpyAgent Android Malware Steals Cryptocurrency Recovery Phrases from Images

A new Android malware called SpyAgent employs optical character recognition (OCR) technology to steal cryptocurrency wallet recovery phrases from screenshots stored on mobile devices.

A cryptocurrency recovery phrase, or seed phrase, is a series of 12-24 words that serves as a backup key for a cryptocurrency wallet. These phrases are used to restore access to your cryptocurrency wallet and all its funds in case you lose your device, data becomes corrupted, or you wish to transfer your wallet to a new device.

These secret phrases are highly valuable to threat actors, as gaining access to them allows them to restore your wallet on their own devices and steal all the funds stored within it.

Since recovery phrases consist of 12-24 words, they are difficult to remember, so cryptocurrency wallets advise users to save or print the words and store them in a secure place. To simplify this, some people take a screenshot of the recovery phrase and save it as an image on their mobile device.

A malware operation discovered by McAfee was traced back to at least 280 APKs distributed outside of Google Play via SMS or malicious social media posts. This malware can use OCR to extract cryptocurrency recovery phrases from images stored on an Android device, making it a significant threat.

Some of the Android apps pretend to be for South Korean and UK government services, dating sites, and pornography sites.

Although the activity primarily targeted South Korea, McAfee has observed a tentative expansion to the UK and signs that an iOS variant might be in early development.

In July 2023, Trend Micro revealed two Android malware families named CherryBlos and FakeTrade, which were spread via Google Play and also used OCR to steal cryptocurrency data from extracted images, indicating that this tactic is gaining traction.

SpyAgent Data Extraction

Once SpyAgent infects a new device, it begins sending the following sensitive information to its command and control (C2) server:

- The victim's contact list, likely for distributing the malware via SMS from trusted contacts.

- Incoming SMS messages, including those containing one-time passwords (OTPs).

- Images stored on the device for OCR scanning.

- Generic device information, likely for optimizing the attacks.

SpyAgent can also receive commands from the C2 server to change sound settings or send SMS messages, likely used to send phishing texts to distribute the malware.

Exposed Infrastructure

McAfee found that the operators of the SpyAgent campaign did not follow proper security practices in configuring their servers, allowing researchers to gain access to them.

Admin panel pages, as well as files and data stolen from victims, were easily accessible, enabling McAfee to confirm that the malware had affected multiple victims.

The stolen images are processed and OCR-scanned on the server side and then organized on the admin panel for easy management and immediate use in wallet hijacking attacks.

Mitigating the Risk on Android

To mitigate this risk on Android, it is important not to install apps from outside Google Play, as these are commonly used to distribute malware.

Additionally, users should disregard SMS messages pointing to APK download URLs and revoke dangerous permissions that seem unrelated to the app’s core functionality.

Finally, periodic Google Play Protect scans should be conducted to check for apps detected as malware.