New Android SpyAgent Campaign Targets Crypto Wallets Using Image Recognition

Introduction

On September 5, 2024, McAfee Labs released a detailed report exposing a new strain of Android malware, dubbed "SpyAgent." This malicious campaign, first observed in early 2024, is designed to target cryptocurrency credentials through advanced image recognition techniques. SpyAgent scans images on infected devices for mnemonic keys used to access crypto wallets, posing a significant threat to Android users in Korea and now expanding globally.

Report Overview

McAfee's Mobile Research Team first discovered SpyAgent while investigating suspicious Android applications that had been circulating in Korea. This malware disguises itself as legitimate apps, such as banking, government services, or even streaming platforms. Once installed, the malicious apps secretly collect a wide range of sensitive information, including text messages, contacts, and images, sending it to remote servers controlled by the attackers.

Since January 2024, over 280 fake apps have been identified as part of this campaign. SpyAgent uses various tactics to obscure its true purpose, including loading screens and blank screens to distract users. McAfee Mobile Security products now provide protection against this threat, but users must remain vigilant.

The malware primarily spreads through phishing campaigns, which leverage social media messages and SMS to deliver malicious links. These messages, disguised as trusted contacts or organizations, redirect victims to fake websites designed to mimic legitimate services. From there, users are prompted to download an APK file, which appears legitimate but installs the malware. Once installed, the app requests broad permissions, including access to SMS messages, contacts, and storage, which it uses to steal sensitive information.

After installation, SpyAgent begins its core operations, gathering a range of data, including:

• Contacts: The entire contact list is exfiltrated, likely used to propagate the malware further.
• SMS Messages: All incoming messages, including those used for two-factor authentication, are captured.
• Photos: Any images stored on the device are uploaded to the attackers' server.
• Device Information: System details such as the OS version and phone numbers are collected for tailored attacks.

The malware communicates with a command-and-control (C2) server, receiving instructions like:

• ‘ack_contact’: Confirms that contacts were successfully received.
• ‘send_sms’: Allows the malware to send phishing SMS messages to others.

Insights and Analysis

During the investigation, McAfee Labs found that several C2 servers were insecurely configured, exposing index pages and files without requiring credentials. This vulnerability allowed researchers to access the structure and data collected by the malware, revealing personal information such as images of victims and lists of infected devices.

Additionally, the malware's recent evolution to using WebSocket connections for C2 communication enhances its efficiency and makes detection more difficult. SpyAgent has also been spotted targeting users in the UK, suggesting the attackers are expanding their reach beyond Korea.

SpyAgent represents a sophisticated and evolving threat to Android users, particularly those involved in cryptocurrency. To protect against this malware, users should avoid downloading apps from untrusted sources, be cautious of phishing messages, and regularly review the permissions granted to installed apps. Keeping security software updated is crucial in identifying and blocking threats like SpyAgent.

Indicators of Compromise (IOCs)

MITRE ATT&CK Techniques

References

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-android-spyagent-campaign-steals-crypto-credentials-via-image-recognition/