Android device users in South Korea have been targeted by a new mobile malware campaign that introduces a new type of threat called SpyAgent.
The malware “targets mnemonic keys by scanning images on your device that may contain them,” said McAfee Labs researcher SangRyol Ryu said in the analysis, the addition of the target footprint expanded the scope to include the UK
The company uses fake Android apps that masquerade as seemingly legitimate banking, government, streaming apps, and utilities to trick users into installing them. Since the beginning of the year, 280 fake applications have been detected.
It all starts with SMS messages containing links to landmines that encourage users to download the apps in question as APK files hosted on fraudulent websites. Once installed, they are designed to request intrusive permissions to collect data from devices.
This includes contacts, SMS messages, photos and other information about the device, which is then transmitted to an external server under the control of the threat.
The most notable feature is its ability to use optical character recognition (OCR) to steal mnemonic keys related to the recovery phrase or seed phrase that allows users to regain access to their cryptocurrency wallets.
Therefore, unauthorized access to mnemonic keys can allow threat actors to take control of victims’ wallets and extract all funds stored in them.
McAfee Labs said the Command and Control (C2) infrastructure suffered from serious security flaws that not only allowed access to the site’s root directory without authentication, but also left exposed data collected by victims.
The server also hosts an admin panel that acts as a one-stop shop for remote management of infected devices. The presence on the dashboard of an Apple iPhone running iOS 15.8.2 with the system language set to Simplified Chinese (“zh”) is a sign that it may also be targeting iOS users.
“Initially, the malware communicated with its command and control (C2) server through simple HTTP requests,” Ryu said. “While this method was effective, it was also relatively easy for the security tool to track and block.”
“In a significant tactical shift, the malware has now adopted WebSocket connections for its communication. This update enables more efficient two-way real-time interaction with the C2 server and helps it avoid detection by traditional HTTP-based network monitoring tools. .”
The development comes just over a month after Group-IB exposed another Android Remote Access Trojan (RAT) called CraxsRAT has been targeting banking users in Malaysia since at least February 2024 via phishing websites. It should be noted that CraxsRAT campaigns were also previously discovered to have targeted Singapore by April 2023 at the latest.
“CraxsRAT is a known Android Remote Administration Tools (RAT) malware family that provides remote device control and spyware capabilities, including keylogging, gesture tracking, camera, screen and call recording,” the Singapore-based company said. said.
“Victims who downloaded apps containing the CraxsRAT Android malware will experience credential leaks and illegitimate withdrawals.”
