New Android malware steals private keys from screenshots and images

A new Android malware called SpyAgent, discovered by software security firm McAfee, can steal private keys stored in screenshots and images on a smartphone’s internal storage.

More specifically, the malware uses a mechanism known as optical character recognition (OCR) to scan images stored on a smartphone and extract words from them. OCR is present in many technologies, including desktop computers, which can recognize, copy, and paste text from images.

McAfee Labs explained that the malware is distributed through malicious links sent through text messages. The cybersecurity company broke down the process, beginning with an unsuspecting user clicking on a link they received.

Examples of the fraudulent apps discovered by McAfee. Source: McAfee

The link will redirect the user to a seemingly legitimate website and prompt them to download an application presented as trustworthy. However, the application is the SpyAgent malware, and installing it will compromise the phone.

According to the report, these fraudulent programs are disguised as banking apps, government applications, and streaming services. Upon installing the applications, users are prompted to give the application permission to access contacts, messages, and local storage.

The control panel malicious actors used to manage data stolen from victims. Source: McAfee

Currently, the malware is mainly targeting South Korean users and has been detected in over 280 fraudulent apps by McAfee cybersecurity specialists.

Related: Mac users beware: AMOS malware clones wallet apps and comes for your crypto

Malware attacks on the rise in 2024

In August, similar malware affecting MacOS systems called “ Cthulhu Stealer ” was identified. Like SpyAgent, Cthulhu Stealer disguises itself as a legitimate software application and steals personal information from the user, including MetaMask passwords, IP addresses, and private keys for cold wallets living on the desktop.

During the same month, Microsoft discovered a vulnerability in Google Chrome’s web browser, which was likely exploited by a North Korean hacker group called Citrine Sleet.

The hacker group reportedly created fake cryptocurrency exchanges and used those sites to send fraudulent job applications to unsuspecting users. Any user who followed through with the process inadvertently installed remotely controlled malware on their system—which stole private keys from the user.

Since that time, the Chrome vulnerability has been patched. However, the frequency of the malware attacks prompted the Federal Bureau of Investigation (FBI) to issue a warning about the North Korean hacking group.

Magazine: Pink Drainer creator defends his wallet-draining crypto scam kit