New Android Malware “SpyAgent” Steals Cryptocurrency Wallets via Screenshots

Chris Thompson

By Chris Thompson

Published:

A new Android malware called “SpyAgent” has been discovered by McAfee’s Mobile Research Team, targeting cryptocurrency wallets by using optical character recognition (OCR) technology.

This malware can extract recovery phrases, also known as mnemonic keys, from images stored on infected devices. These phrases, typically made up of 12-24 words, allow users to regain access to their cryptocurrency funds if they lose access to their wallet.

Fig 1. Timeline of the SpyAgent campaign. Source: McAfee

The Danger of Storing Recovery Phrases in Images

Many cryptocurrency users take screenshots of their recovery phrases to avoid having to write them down. SpyAgent exploits this common behavior by scanning for these images and extracting the text using OCR technology.

Once the malware finds and processes this information, the attackers can use it to gain access to the victim’s cryptocurrency wallet and steal the funds.

How SpyAgent Works

SpyAgent is typically distributed through phishing campaigns that trick users into downloading fake Android apps. These apps disguise themselves as trustworthy services, such as banking, government services, or even TV streaming platforms.

Users are usually prompted to download an APK file through malicious links found in text messages or social media posts. The malware requests permissions that allow it to access sensitive information, such as contacts, SMS messages, and stored images.

Fig 2. App installation and requesting permissions. Source: McAfee

Once installed, SpyAgent collects a range of sensitive information, including contact lists, incoming SMS messages (which may contain one-time passwords), and images stored on the device.

This data is then sent to a remote server controlled by the attackers. The malware is designed to steal recovery phrases from images, using OCR to convert the pictures into text.

While the SpyAgent campaign primarily targets users in South Korea, there is evidence that the malware is expanding to other regions, including the UK. Additionally, security researchers have found hints that an iOS version of this malware may be under development, broadening the potential for harm.

Run a free malware scan

Download Certo's award-winning app for Android today and check your device for data stealing malware.

How to Protect Yourself

To minimize the risk of infection, Android users should avoid downloading apps from outside official stores like Google Play. These apps are often used to distribute malware.

Additionally, it’s critical to be cautious of SMS messages that direct you to install APK files. Revoke unnecessary permissions that seem unrelated to the app’s core purpose and regularly update your device’s security settings.

Tools like Google Play Protect are helpful in automatically defending against known threats, but vigilance remains the best defense against evolving malware like SpyAgent. Always ensure your apps are from verified sources and stay informed about new security risks.