Security researchers recently discovered an Android mobile malware dubbed SpyAgent. Using optical character recognition (OCR), SpyAgent parses through saved screenshots to search for cryptocurrency seed phrases. These phrases are 12-24 words and are provided as a backup key to restore access to cryptocurrency wallets. Threat actors can use these seed phrases to access stolen cryptocurrency wallets.

SpyAgent’s campaign begins with a phishing attack by sending malicious links through text or direct messages on social media platforms. Threat actors pose as a reputable business or a trusted person to trick users into clicking malicious links. Once clicked, these links will direct its target to an imitation website, often created to mimic the appearance of a legitimate website. Users will be prompted to install an app that loads the SpyAgent malware onto the victim’s device. If installed, the malicious app will request permission to access sensitive
information and the ability to run in the background, which, if granted, will allow the threat actors to compromise the infected device further.

While the primary goal is to steal cryptocurrency seed phrases, researchers have found that it also targets phone contacts, text messages, photos, and device information. This campaign has mostly been localized to South Korea but has begun a tentative expansion into the United Kingdom. Security researchers have also found signs that an iOS variant is in early development. Cryptocurrency has often been the target of malware campaigns, including one targeting MacOS Bitcoin and Exodus wallet users this past January and an older Android malware campaign utilizing OCR to capture cryptocurrency wallet credentials.

Recommendations

• Refrain from clicking links found in text messages and direct messages sent from unverified sources.
• Type official website URLs into browsers manually.
• Avoid installing apps outside the Google Play store, and be wary of granting invasive and unnecessary permissions to apps.
• Obtain software from legitimate developers or companies after analyzing customer reviews.
• Forward SMiShing messages to 7726 (SPAM) and report the messages to mobile carriers.