A novel mobile malware operation dubbed SpyAgent has surfaced targeting Android device users in South Korea.
According to an investigation by McAfee Labs researcher SangRyol Ryu, the malware "targets mnemonic keys by scanning for images on your device that might contain them," and it has expanded its targeting footprint to include the UK.
The campaign uses fake Android apps to deceive users into installing them. These apps seem like real banking, government, streaming, and utility apps. As many as 280 fake apps have been uncovered since the start of the year.
It all begins with SMS messages with booby-trapped links directing users to download the apps in question in the form of APK files published on fraudulent websites. Once installed, they will request intrusive permissions to extract data from the devices.
The most prominent feature is its ability to employ optical character recognition (OCR) to steal mnemonic keys, which are recovery or seed phrases that allow users to restore access to their bitcoin wallets. Unauthorised access to the mnemonic keys could allow attackers to gain control of the victims' wallets and drain all of the funds stored in them.
According to McAfee Labs, the command-and-control (C2) infrastructure had major security flaws that permitted unauthorised access to the site's root directory as well as the exposure of victim data.
The server also has an administrator panel, which serves as a one-stop shop for remotely controlling the infected devices. The appearance of an Apple iPhone running iOS 15.8.2 with the system language set to Simplified Chinese ("zh") in the panel indicates that it may also target iOS users.
"Originally, the malware communicated with its command-and-control (C2) server via simple HTTP requests," the researchers explained. "While this method was effective, it was also relatively easy for security tools to track and block."
"In a significant tactical shift, the malware has now adopted WebSocket connections for its communications. This upgrade allows for more efficient, real-time, two-way interactions with the C2 server and helps it avoid detection by traditional HTTP-based network monitoring tools.”
The finding comes a little more than a month after Group-IB disclosed another Android remote access trojan (RAT) known as CraxsRAT, which has been targeting Malaysian banking users since at least February 2024 via phishing websites. It's worth noting that CraxsRAT campaigns have already been found to target Singapore by April 2023.