McAfee cybersecurity researchers have discovered hundreds of malicious Android apps designed to steal access to people's cryptocurrency wallets.
Researchers dubbed the campaign SpyAgent, which so far consisted of 280 apps in total that mimicked legitimate banking apps, government service tools, TV streaming apps, utility apps, and more. The criminals hosted them on malicious sites and third-party app stores (never the Google Play Store) and sought to trick victims into installing them via phishing, social messaging apps, and the like.
When the victim installed the app, the malware examined images stored on the device and used optical character recognition (OCR) to scan the contents of the files. If it found anything useful (e.g. words), it leaked the content to a cloud-based database, from where the attackers obtained it.
Mnemonic keys and seed phrases
Most cryptocurrency wallets have two layers of protection. One is a password, PIN code, or biometric data, which is stored on the device and allows the user to access and operate the wallet. The other is a so-called “mnemonic key” or “seed phrase” – a set of 12 or 24 random words that allow the user to load the wallet’s contents onto a new device. The mnemonic key is a kind of backup option. If a user loses access to their phone or hardware wallet, they can get a new one, load the seed phrase, and regain access to their wallets and all the currency inside.
However, if a malicious actor gets hold of the mnemonic key, they can also charge the wallet and easily empty it. Since many people use “hot wallets” (basically, mobile apps), they also store their mnemonic keys as screenshots on their phones.
The best way to protect yourself against these apps is to only download them from verified sources, such as the Google Play Store. For more details on malicious apps, see McAfee's report here.
