Android users in South Korea have become the target of a new malware campaign delivering a threat known as SpyAgent.
According to McAfee Labs researcher SangRyol Ryu, the malware “targets mnemonic keys by scanning images on devices that might contain them.” He added that this targeting has now expanded to include the U.K.
The campaign spreads through fake Android apps disguised as legitimate ones, such as banking, government services, streaming, and utility apps, tricking users into installing them. Since the beginning of the year, around 280 of these fake applications have been detected.
It all begins with SMS messages containing malicious links, urging users to download the infected apps in the form of APK files hosted on deceptive websites. Once installed, these apps request extensive permissions, allowing them to collect data from the device.
The collected data includes contacts, SMS messages, photos, and other device information, all of which is sent to a remote server controlled by the attackers.
The most concerning feature is the use of optical character recognition (OCR) to steal mnemonic keys. These keys, also known as recovery or seed phrases, allow users to regain access to their cryptocurrency wallets.
Unauthorized access to these mnemonic keys could allow the attackers to control the victims’ wallets and drain all the funds stored in them.
McAfee Labs also revealed that the malware’s command-and-control (C2) server has security weaknesses, including open access to its root directory without authentication. This oversight exposed victim data.
The server also contains an admin panel, which allows the attackers to remotely control the infected devices. An Apple iPhone running iOS 15.8.2, set to Simplified Chinese (“zh”), was also found on the admin panel, suggesting that iOS users may also be targeted.
“Initially, the malware communicated with its command-and-control (C2) server through basic HTTP requests,” Ryu explained. “Although effective, it was easier for security tools to detect and block.”
The malware has since shifted tactics, using WebSocket connections for communication. This new method allows for more efficient, real-time interactions with the C2 server and makes it harder for traditional security tools to detect.
This development comes just over a month after Group-IB uncovered another Android remote access trojan (RAT) known as CraxsRAT, which has targeted banking users in Malaysia since February 2024 through phishing websites. CraxsRAT campaigns have also been detected in Singapore as early as April 2023.
According to Group-IB, CraxsRAT is a well-known malware family that allows remote device control and has spyware capabilities, such as keylogging, recording cameras, screens, and calls. Users who downloaded apps containing CraxsRAT could have their credentials stolen and experience unauthorized withdrawals from their accounts.