A sophisticated new strain of Android malware has emerged from Korea. It targets cryptocurrency wallets by exploiting users’ mnemonic keys. McAfee Labs researcher SangRyol Ryu came across.
In brief: Security researchers discovered a particularly alarming form of malware that tricks users into downloading an infected app to propagate. While the attack vector is common, the insidious nature of the malicious code makes it unique. It targets and steals crypto wallet security codes using OCR to scan images for mnemonic passphrases.
A sophisticated new strain of Android malware has emerged from Korea. It targets cryptocurrency wallets by exploiting users’ mnemonic keys. McAfee Labs researcher SangRyol Ryu came across the malware after tracing data stolen by malicious apps to rogue servers and gaining access.
The malicious software, dubbed SpyAgent, uses cunning tactics to infiltrate devices and exfiltrate sensitive information, including photos that may contain wallet recovery phrases. SpyAgent disguises itself as legitimate apps, ranging from banking and government services to streaming platforms and utility software. So far, McAfee has identified over 280 of these fake applications.
Once the victim downloads a SpyAgent-infected app, the malware springs into action, establishing a connection with a command and control (C2) server that allows attackers to issue instructions remotely.
