A new Android spyware called SpyAgent adopts optical character recognition (OCR) technology to take cryptocurrency wallet recovery phrases from screenshots captured on infected mobile devices.
A cryptocurrency recovery phrase is a series of 12-24 words used as a backup key for a Bitcoin wallet. It is also commonly known as a seed phrase among cryptocurrency enthusiasts. These phrases are used to recover access to a crypto wallet and all its funds if a user loses a device, data is corrupted, or a wallet is transferred to a different device.
These capabilities are what attracted malicious entities to pursue these secret phrases. Researchers explained that once a threat actor obtains these phrases, they can use them to restore the crypto wallet of the account that owns it.
The difficulty of memorising the lengthy recovery phrases is what the SpyAgent malware operators bank on as users tend to take screenshots for recording.
Researchers believe that the SpyAgent malware operators target users with difficulty memorising the recovery phrase, which is 12-24 words long. Once a user takes a screenshot of these phrases, they will be a primary target for the attackers.
Hence, cryptocurrency wallets advise users to save or print the words and save them somewhere safe.
As of now, a malware operation was linked to at least 280 APKs disseminated outside of Google Play. This campaign uses SMS or fraudulent social media posts to distribute the spyware. The spyware in this campaign uses OCR to derive Bitcoin recovery phrases from photographs stored on an Android smartphone, which poses a significant threat to various crypto users.
Furthermore, some Android apps claim to be for South Korean and UK government services, dating sites, and adult-themed websites. Though the activity was primarily directed at South Korea, the researchers noticed a surge in the United Kingdom and indicators that an iOS counterpart is developing.
Cryptocurrency users should stay updated with the latest trends and threats in the community. Threat actors are constantly innovating their attack processes to gain funds, leaving unaware users empty-handed.