SpyAgent Malware: Stealing Your Crypto Keys Through Images

Researchers at McAfee have uncovered more than 280 malicious Android applications utilizing optical character recognition (OCR) technology to steal cryptocurrency data. Collectively dubbed SpyAgent, these applications cleverly disguise themselves as official services for banks, government utilities, and popular platforms such as streaming services and bill management apps.

Criminals, distributing these applications through phishing SMS messages and malicious websites, actively harvest data from infected devices, including contacts, text messages, and images stored in the phone’s memory. Notably, none of the detected applications were ever distributed via Google Play.

The hallmark of this campaign is the use of OCR to extract cryptocurrency wallet information, which is often stored as simple screenshots. Many wallets are secured with mnemonic phrases—a random sequence of words that is easier to remember than complex private keys. These phrases are converted into text using OCR by the attackers.

McAfee researcher SangRyol Ryu, who discovered the SpyAgent campaign, managed to gain access to the servers where the stolen data was sent. This was possible due to security misconfigurations in the malware. Among the stolen data were images of wallets and their associated mnemonic phrases, indicating a targeted attack on users’ cryptocurrency assets.

To process the stolen data, the attackers utilize Python and JavaScript technologies. Images from victims’ devices undergo character recognition, after which the text is structured and managed via an administrative panel. This reveals the high level of professionalism exhibited by the hackers.

The applications were regularly updated to enhance the concealment of their malicious activities. In the latest version, they began using WebSockets for communication with command-and-control servers, making them more difficult for antivirus programs to detect. Additionally, the criminals employed code obfuscation techniques, complicating the analysis.

Although the majority of infected SpyAgent applications are currently concentrated in South Korea, there are signs that the campaign is expanding to the United Kingdom. This suggests that the attackers aim to broaden the scope of their operations, adapting the applications for different regions and users.

Notably, this malicious campaign was uncovered shortly after the detection of a similar Trojan—CraxsRAT, which targeted banking service users in Malaysia. CraxsRAT was also previously identified in Singapore, where it was used for remote device control, data theft, and unauthorized fund transfers.