SpyAgent Mobile Malware
A new mobile malware campaign, known as SpyAgent, has begun targeting Android users in South Korea, posing a unique threat by scanning device images for mnemonic keys. Researchers have noted an expansion in its reach, now impacting users in the U.K. as well.
The malware is distributed through fake Android applications that appear to be legitimate, mimicking banking, government, streaming and utility applications. Since the beginning of the year, over 280 fraudulent applications have been identified in connection with this campaign.
Table of Contents
SpyAgent Demonstrates Sophisticated Features to Harvest Data
The attack begins with SMS messages containing unsafe links that prompt users to download applications as APK files from deceptive websites. Once installed, these applications request intrusive permissions to access data on the device, including contacts, SMS messages, photos, and other sensitive information, which is then shared with a server controlled by the attackers.
One of the malware's most concerning capabilities is its use of optical character recognition (OCR) to capture mnemonic keys—recovery phrases that allow users to restore access to their cryptocurrency wallets. If the attackers have access to these keys, they can take control of the victims' wallets and collect all the funds stored within them.
Signs Point Towards SpyAgent Targeting iOS Users
The Command-and-Control (C2) infrastructure had significant security flaws, including unrestricted access to the site's root directory and exposure of victim data. The server also contains an administrator panel that enables remote control of infected devices. Notably, the presence of an Apple iPhone running iOS 15.8.2 with its system language set to Simplified Chinese ('zh') suggests that iOS users may also be targeted.
Initially, the malware communicated with the C2 server through basic HTTP requests, which, while effective, made it easier for security tools to detect and block. However, in a strategic shift, the malware now uses WebSocket connections, enabling more efficient, real-time, two-way communication with the C2 server while also making it harder for traditional HTTP-based monitoring tools to detect.
Mobile Devices Remain a Prominent Target for Cyberattacks
In early 2024, cybersecurity experts uncovered a new Android Remote Access Trojan (RAT) known as CraxsRAT, which has been targeting banking users in Malaysia since at least February 2024 through phishing websites. It is also noteworthy that CraxsRAT campaigns have previously been identified in Singapore as early as April 2023.
CraxsRAT is a well-known malware family within the Android Remote Administration Tools (RAT) category, offering capabilities such as remote device control and spyware functions. These include keylogging, executing gestures, and recording video from cameras, screens and calls. Users who download applications containing CraxsRAT may face credential theft and unauthorized withdrawal of their funds.
