Disclaimer: The content of this article is for general informational purposes only and is not intended to be financial advice, nor should it be interpreted to be financial advice. The reader is encouraged to seek the services of an authorized professional financial advisor if s/he requires assistance with financial decisions.

Affiliate disclosure: This article may contain affiliate links to external websites such as Amazon or the product manufacturer. Little Orange Pill may earn commissions from purchases made through these links at no cost to you.

On September 5th, McAfee published an article sharing what they’d learned about a new insidious malware called SpyAgent.  It targets mnemonic keys by scanning images on your device that might contain them using Optical Character Recognition (OCR).  The mnemonic key, also called a Seed Phrase, is a 12- or 24-word list of words that are used to generate the private keys to your crypto wallets.

This malware targets Android users and disguises itself as what would normally be considered trustworthy apps like banking, government services, utilities, or TV.  McAfee identified over 280 fake apps targeting users in South Korea since January 2024.  There are indications that the malware operators planned to expand to other countries.

How SpyAgent Operates

SpyAgent was embedded in fraudulent apps pretending to be legitimate apps.  Users are tricked into downloading these apps through text messages or DMs on social media from accounts pretending to be people or organizations that the user trusts.  Once the link in the message is clicked, the user is directed to a deceptive website masquerading as an authentic one.  These sites will then prompt the user to download an app, which is how the malware gets installed on a user’s device.  This is why it is vital that users be cautious and always verify any links before they click on them.  Further, it is recommended to download apps only from your platform’s approved app store to prevent this vector to infection.

Upon installation, SpyAgent requests permissions that enable it to access a user’s contacts, messages, and local storage and to run in the background.  These permissions are said to be required for the app to function properly but are really used to compromise the user’s privacy and security.  Once installed, the app uploads images, contacts, and potentially more sensitive data to remote servers where OCR technology seeks and extracts any Seed Phrases present.

The malicious actors are targeting Seed Phrases because with them, the attackers can access any cryptocurrency assets held in the associated wallets.   They can them move those funds and assets to wallets under their control where the legitimate owner can no longer do anything about it.

Plans for Expansion

McAfee identified that the malware’s applications and targeting strategies have evolved.  It’s recently been adapted to apps targeting users in the UK.  This is significant because it shows that the threat actors are expanding their operation, likely targeting users with localized versions of malware.

Mitigation and Protection Strategies.

1. Users should strictly download apps from official stores like the iOS App Store, and Google Play.

2. Never store recovery phrases digitally in any form.  This malware demonstrates how bad actors can scan files and photos for Seed Phrases.  It is recommended to use hardware wallets and use offline seed storage methods like Cryptotag Zeus.

3. Always be wary of apps requesting more permissions than required to perform their stated functions.

Conclusion

The threat landscape is always evolving.  Bad actors are often looking for ways to gain unauthorized access crypto wallets.  SpyAgent is the latest example of a sophisticated attempt to bypass users’ safeguards.  It uses the victim’s contacts to determine additional targets for fraudulent SMS messages, thus leveraging social engineering as an attack vector.  It impersonates legitimate apps and websites so effectively that users are more likely to accept the permissions requested when it’s installed.  Once activated, the app uploads the victim’s personal data to remote servers for processing and quickly collects organizes potential Seed Phrases for processing.  Readers are encouraged to stay vigilant when asked to click on links, even if those links appear to come from someone you know.