A newly discovered malware for Google’s Android mobile operating system relies on optical character recognition to steal Bitcoin & Co. The malware, called SpyAgent, uses optical character recognition (OCR) to detect recovery phrases for wallets storing cryptocurrencies from screenshots taken by users. stored on your mobile phone or tablet.
Advertisement
Attackers can easily hijack digital wallets and steal the crypto tokens contained in them.
This is how it works economically: Reflective LCD in monitorThe word sequence should be easier than the master key
Mnemonic phrases are memory aids that usually consist of 12 to 24 words. They are used to restore access to the e-wallet and all crypto assets stored on it if a user loses the device, the data becomes corrupted, or the virtual wallet needs to be transferred to a new device.
The phrase specified when creating a wallet is, in theory, easier to remember than a specific, complex master key with access to all the private keys of the system it represents. But many users have difficulty remembering even the key sequence of words.
Feature with harsh consequences
Therefore, wallet providers often recommend saving or printing the phrase and keeping it in a safe place. For convenience, some users take a screenshot of these credentials and save it to their mobile device.
SpyAgent targets these screenshots and then automatically evaluates them, writes IT security company McAfee in a blog post. The malware presents itself as a supposedly trustworthy app, for example from banking and government services or dating, porn, and streaming portals.
SpyAgent is primarily airing in South Korea and Great Britain
According to the report, the apps are mainly distributed via phishing emails, currently mainly in South Korea and Great Britain. After installation, fake apps secretly collect text messages, contacts and all saved images and send them to the evaluation server. They often distract users with endless loading screens, unexpected redirects or short blank screens to hide their real activities.
McAfee’s mobile research team says it has identified more than 280 threat applications involved in this fraudulent scheme. Once SpyAgent infects a new device, the program sends confidential information to a command and control (C2) server. This includes the victim’s contact list for further distribution, SMS in search of one-time passwords, and images stored on the device for OCR scanning.
It also contains general device information that will help customize attacks. The malware can also receive commands from C2 to change sound settings or send SMS itself.
IT security experts found poor security configurations on several C2 servers that allowed unauthorized access to some index pages and files without providing credentials. This allowed researchers to access admin area pages and files stolen by victims.
May work on iPhone variant
So the copied images are processed on the server side, scanned via OCR and then organized accordingly in the admin panel to allow easy management and immediate use in wallet hijacking attacks. The team also discovered a file labeled “iPhone”, which means that the next stage of malware development may target iOS users.
Trend Micro did this in July 2023 According to Bleeping Computer Discovered two Android malware families called Cherryblos and FakeTrade that were distributed through the Google Play Store and also used OCR to steal cryptocurrency data from extracted images. This tactic is becoming very popular among cybercriminals.
(No)
New mobile phone tariffs at Vodafone | Heise Online
