Android device users in South Korea have emerged as a target of a new mobile malware campaign that delivers a new type of threat dubbed SpyAgent.
The malware “targets mnemonic keys by scanning for images on your device that might contain them,” McAfee Labs researcher SangRyol Ryu said in an analysis, adding the targeting footprint has broadened in scope to include the U.K.
The campaign makes use of bogus Android apps that are disguised as seemingly legitimate banking, government facilities, streaming, and utility apps in an attempt to trick users into installing them. As many as 280 fake applications have been detected since the start of the year.
It all starts with SMS messages bearing booby-trapped links that urge users to download the apps in question in the form of APK files hosted on deceptive sites. Once installed, they are designed to request intrusive permissions to collect data from the devices.
This includes contacts, SMS messages, photos, and other device information, all of which is then exfiltrated to an external server under the threat actor’s control.
The most notable feature is its ability to leverage optical character recognition (OCR) to steal mnemonic keys, which refer to a recovery or seed phrase that allows users to regain access to their cryptocurrency wallets.
Unauthorized access to the mnemonic keys could, therefore, allow threat actors to take control of the victims’ wallets and siphon all the funds stored in them.
McAfee Labs said the command-and-control (C2) infrastructure suffered from serious security lapses that not only allowed navigating to the site’s root directory without authentication, but also left exposed the gathered data from victims.
The server also hosts an administrator panel that acts as a one-stop shop to remotely commandeer the infected devices. The presence of an Apple iPhone device running iOS 15.8.2 with system language set to Simplified Chinese (“zh”) in the panel is a sign that it may also be targeting iOS users.
“Originally, the malware communicated with its command-and-control (C2) server via simple HTTP requests,” Ryu said. “While this method was effective, it was also relatively easy for security tools to track and block.”
“In a significant tactical shift, the malware has now adopted WebSocket connections for its communications. This upgrade allows for more efficient, real-time, two-way interactions with the C2 server and helps it avoid detection by traditional HTTP-based network monitoring tools.”
The development comes a little over a month after Group-IB exposed another Android remote access trojan (RAT) referred to as CraxsRAT targeting banking users in Malaysia since at least February 2024 using phishing websites. It’s worth pointing out that CraxsRAT campaigns have also been previously found to have targeted Singapore no later than April 2023.
“CraxsRAT is a notorious malware family of Android Remote Administration Tools (RAT) that features remote device control and spyware capabilities, including keylogging, performing gestures, recording cameras, screens, and calls,” the Singaporean company said.
“Victims that downloaded the apps containing CraxsRAT android malware will experience credentials leakage and their funds withdrawal illegitimately.”
Update
Google told The Hacker News that it has not found any evidence of the malware on the Play Store. “Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services,” it said.