Recent research has uncovered new Android Spyware targeting mnemonic keys, vital for cryptocurrency wallet recovery. Disguised as legitimate apps, the malware scans devices for images containing mnemonic phrases and steals personal data such as text messages, contacts, and images.
Since January 2024, over 280 malicious apps have targeted Korean users, using deceptive tactics like loading screens and redirects to conceal their data theft activities.
All about New Android Spyware
Malicious actors mainly target Korean mobile users through phishing campaigns, using tactics like impersonating trusted entities to trick victims into clicking malicious links.
When clicked, these links direct users to fake websites that mimic legitimate platforms, tricking them into downloading APK files disguised as harmless apps.
Once installed, these malicious APKs request excessive permissions, allowing them to steal sensitive data and carry out malicious activities in the background.
The malware steals sensitive data from the user’s device, like contacts, SMS messages, photos, and device information, and sends it to a remote server.
It also acts as a remote agent, receiving commands from the server to change settings or send SMS messages.
The investigation found a poorly secured command and control server, exposing victim data such as images and cryptocurrency wallet details, and allowing unauthorized access to index pages and admin panels, revealing the attacker’s operations.
Python and JavaScript were used to process stolen data, with OCR extracting info from images for financial exploitation.
The malware now uses WebSocket connections for real-time C2 communication, making detection harder. It also employs advanced obfuscation techniques like string encoding and code insertion to delay detection.
Targeting has expanded to the UK, showing efforts to broaden its reach.
McAfee reports that the malware, once disguised as loan or government apps, now exploits emotions by mimicking obituary notices, using OCR to analyze stolen data for financial gain.
Though not widespread, its impact grows as deceptive SMS messages are sent to victims’ contacts. Active URLs have been reported for removal. The presence of an “iPhone” item in the admin panel suggests a possible iOS variant, stressing caution on all platforms.
Users should avoid installing suspicious apps, be careful with permissions, securely store important data, and use security software.
Indicators of Compromise
IOC’s as per McAfee
SHA256 Hash(es):
- 5b634ac2eecc2bb83c0403edba30a42cc4b564a3b5f7777fe9dada3cd87fd761
- 4cf35835637e3a16da8e285c1b531b3f56e1cc1d8f6586a7e6d26dd333b89fcf
- 3d69eab1d8ce85d405c194b30ac9cc01f093a0d5a6098fe47e82ec99509f930d
- 789374c325b1c687c42c8a2ac64186c31755bfbdd2f247995d3aa2d4b6c1190a
- 34c2a314dcbb5230bf79e85beaf03c8cee1db2b784adf77237ec425a533ec634
- f7c4c6ecbad94af8638b0b350faff54cb7345cf06716797769c3c8da8babaaeb
- 94aea07f38e5dfe861c28d005d019edd69887bc30dcc3387b7ded76938827528
- 1d9afa23f9d2ab95e3c2aecbb6ce431980da50ab9dea0d7698799b177192c798
- 19060263a9d3401e6f537b5d9e6991af637e1acb5684dbb9e55d2d9de66450f2
- 0ca26d6ed1505712b454719cb062c7fbdc5ae626191112eb306240d705e9ed23
- d340829ed4fe3c5b9e0b998b8a1afda92ca257732266e3ca91ef4f4b4dc719f8
- 149bd232175659434bbeed9f12c8dd369d888b22afaf2faabc684c8ff2096f8c
- f9509e5e48744ccef5bfd805938bf900128af4e03aeb7ec21c1e5a78943c72e7
- 26d761fac1bd819a609654910bfe6537f42f646df5fc9a06a186bbf685eef05b
- 0e778b6d334e8d114e959227b4424efe5bc7ffe5e943c71bce8aa577e2ab7cdb
- 8bbcfe8555d61a9c033811892c563f250480ee6809856933121a3e475dd50c18
- 373e5a2ee916a13ff3fc192fb59dcd1d4e84567475311f05f83ad6d0313c1b3b
- 7d346bc965d45764a95c43e616658d487a042d4573b2fdae2be32a0b114ecee6
- 1bff1823805d95a517863854dd26bbeaa7f7f83c423454e9abd74612899c4484
- 020c51ca238439080ec12f7d4bc4ddbdcf79664428cd0fb5e7f75337eff11d8a
Domain(s):
- ahd.lat
- allsdy999.org
- etr.lat
- gf79.org
- goodapps.top
- gov24.me
- gov24.top
- krgoodapp.top
- krgov24.top
- like1902.xyz
- make69.info
- messtube999.info
- mtube888.info
- mylove777.org
- oktube999.info
- top1114.online
- ytube888.info
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment