SpyAgent Android Malware Steals Your Crypto Recovery Phrases From Images 32
SpyAgent is a new Android malware that uses optical character recognition (OCR) to steal cryptocurrency wallet recovery phrases from screenshots stored on mobile devices, allowing attackers to hijack wallets and steal funds. The malware primarily targets South Korea but poses a growing threat as it expands to other regions and possibly iOS. BleepingComputer reports: A malware operation discovered by McAfee was traced back to at least 280 APKs distributed outside of Google Play using SMS or malicious social media posts. This malware can use OCR to recover cryptocurrency recovery phrases from images stored on an Android device, making it a significant threat. [...] Once it infects a new device, SpyAgent begins sending the following sensitive information to its command and control (C2) server:
- Victim's contact list, likely for distributing the malware via SMS originating from trusted contacts.
- Incoming SMS messages, including those containing one-time passwords (OTPs).
- Images stored on the device to use for OCR scanning.
- Generic device information, likely for optimizing the attacks.
SpyAgent can also receive commands from the C2 to change the sound settings or send SMS messages, likely used to send phishing texts to distribute the malware. McAfee found that the operators of the SpyAgent campaign did not follow proper security practices in configuring their servers, allowing the researchers to gain access to them. Admin panel pages, as well as files and data stolen from victims, were easily accessible, allowing McAfee to confirm that the malware had claimed multiple victims. The stolen images are processed and OCR-scanned on the server side and then organized on the admin panel accordingly to allow easy management and immediate utilization in wallet hijack attacks.
- Victim's contact list, likely for distributing the malware via SMS originating from trusted contacts.
- Incoming SMS messages, including those containing one-time passwords (OTPs).
- Images stored on the device to use for OCR scanning.
- Generic device information, likely for optimizing the attacks.
SpyAgent can also receive commands from the C2 to change the sound settings or send SMS messages, likely used to send phishing texts to distribute the malware. McAfee found that the operators of the SpyAgent campaign did not follow proper security practices in configuring their servers, allowing the researchers to gain access to them. Admin panel pages, as well as files and data stolen from victims, were easily accessible, allowing McAfee to confirm that the malware had claimed multiple victims. The stolen images are processed and OCR-scanned on the server side and then organized on the admin panel accordingly to allow easy management and immediate utilization in wallet hijack attacks.
Does nobody know how to write on paper anymore? (Score:4, Insightful)
Critical secrets belong in your memory or on (well secured) paper. They do not belong into electronic storage of any kind, in any form, unless fully offline. But no current electronic offline storage can compete in terms of reliability, usability and simplicity with paper.
Why doe the obvious have to be repeated? Anybody in the modern world should understand that your phone and computer are not secure computing devices.
Re: (Score:2)
Too bad people were taught technology was a panacea and some might even take you for a Luddite (it happens to me) for what you posted but you are essentially correct!
Re: (Score:2)
Thanks. And I agree. People expect things from modern technology it cannot deliver.
As to "Luddite", well. People are stupid and many of the stupid get aggressive whenever somebody tells them that no, their fantasies about technology (or the world) are not true. It helps that I am a PhD-level CS type. As such, I can see on expert level that classical paper still beats computers in many ways when it comes to some forms of personal data recording and storage. I always find it hilarious when people lug their la
Re: (Score:1)
Lots of stupid people think lots of stupid things, the Luddites weren't anti-tech. They were anti-corporatism.
Re: (Score:2)
Lots of stupid people think lots of stupid things, the Luddites weren't anti-tech. They were anti-corporatism.
I do not think it is that simple or that the movement was homogeneous either.
Re: (Score:2)
I do not think it is that simple or that the movement was homogeneous either.
A whatever-ite is someone who follows whatever, and Ned Ludd's message was that advances in technology must benefit the people. If they were just anti-tech, they weren't Luddites, they were just smashing stuff. They didn't want to stop progress, they wanted progress to benefit The People. That the movement has been described as the former when it was the latter is a typical result of the Stockholm syndrome which enables capitalism.
Re: (Score:2, Informative)
I'm still gonna place the blame squarely on the irreversible nature of cryptocurrency transactions. For comparison, most people don't even give a second thought to handing their credit card to a server at a restaurant. If the card ends up getting compromised you can just contact the issuer to have any fraudulent charges reversed and request a replacement card with a new number.
If someone gets access to your crypto wallet though, you're SOL.
Re: (Score:2, Informative)
Obviously. Crapto "security" is laughable in all its forms. But this here is a more general problem with data storage. Apparently the people doing it think that pictures are safe.
Re: (Score:3)
I'm still gonna place the blame squarely on the irreversible nature of cryptocurrency transactions.
I have next to no idea how cryptocurrency works, but isn't that the same as cash, and isn't that the point?
crypto is often worse than cash (Score:2)
You lock cash up in a vault, it's reasonably safe. Even if they get the vault combo, they still have to physically show up.
In addition, even if your cash is stolen, if you were smart enough to have the serial numbers written down, they can look for them.
This is frequently not the case for crypto.
Another thing with crypto (many varieties): You can pay in cash for free. You have to pay 'gas fees' to transfer crypto.
It combines some of the worst aspects of debit cards and cash.
Re: (Score:1)
All of the properties of cash that you like are available with crypto but the UI isn't for beginners STILL.
It's not possible currently to fund such development. Probably because of the regulatory uncertainty but constrained blocksize is more profitable on greedy chains because they can collect rents.
It's very disappointing.
The most overt cash-replacement chain is Bitcoin Cash (obviously) and devs increase the blocksize as needed to keep tx fees under 2 cents.
In jurisdictions where it's popular you'll often
Re: (Score:2)
All of the properties of cash that you like are available with crypto
That is a Big Lie, i.e. this claim is so far from the truth that it is staggering. Obviously, lying like crazy about their fetish is the main mode of the crapto-bros.
Re: (Score:2)
I think the main point of crypto is that no one has the authority to simply print more money, with no one having the authority to confiscate money nor block transactions a secondary point. In principle there's no reason you couldn't have a system where an authority could reverse transactions but not print money, though that's pretty much exactly the description of a credit card company.
Though I think the real main point of crypto is allowing the early adopters to print fiat currency for dramatically less th
Re: (Score:1)
Because crypto isnt real fiduciary money. Its a glorified minecraft sword. Its not even a tangible asset. Its only value is that someone else is willing to pay for your minecraft sword.
Re: (Score:2)
The illusion of security is so important both to the tech companies, and to the users' psyche, that there are very few on either end who would break it.
And yes, the majority of people do this now (store all passwords as photos on-device). I have observed this looking at front-line support. I wasn't working in tech in the 90s but I imagine it's even more prevalent than the "Post-it stuck on the monitor" method. People at least have an intuitive understanding of why that's insecure. Once you start operating i
Re: (Score:2)
People are doing that mass-scale? The mind boggles. There really must be some strong psychological force at work that suppresses all rationality and makes them utterly stupid.
May also explain why so many people think Microsoft makes good products, when in actual reality they get worse and worse. Or why so many people think AI is great and can do anything. And some other completely disconnected opinion about technology many people have.
Re: (Score:2)
It's all driven by the same psychology.
But yes, the specific practice of pictured/screenshotted passwords is super common. Support agents will often suggest it, even if the users aren't already doing it. It cuts down on return visits.
It doesn't surprise me that malware is starting to do OCR. And now that everyone's backing up their photos to cloud storage, where it gets used to train AI and scanned for wrongthink, it wouldn't surprise me if passwords started leaking from that end somewhere too.
Re: (Score:2)
And now that everyone's backing up their photos to cloud storage, where it gets used to train AI and scanned for wrongthink, it wouldn't surprise me if passwords started leaking from that end somewhere too.
Yes, probably. We could recently see nicely how abysmally bad cloud security can get:
https://www.cisa.gov/sites/def... [cisa.gov]
Re: (Score:2)
And if you lose it, you're hosed.
These things are the literal key to your wallet, and usua
Re: (Score:2)
Well, if you do not secure something critical in an adequate way, you are doing it wrong, obviously. The difference is that somebody that is not an IT security expert _can_ secure that piece of paper. For that smartphone or computer, even an IT security expert will find it difficult to secure them on the level needed here. The main difference is that paper does not have remote access and that one is obvious to anybody that actually thought about it.
And seriously, "Chances are they're going to take a photo o
Re: (Score:1)
Fuck me did you just suggest we write down critical passcodes on paper after 2 decades of security professionals trying to get people to stop doing precisely that?
What are you even doing on Slashdot, my grandmother has more technical prowess than you do.
Re: (Score:3)
No real security experts has ever tried to stop people from writing down passwords on paper. Only the bogus ones do. And there are a lot of bogus "security experts". These are the same ones that insist passwords must be changed regularly and other pretty obvious nonsense.
This "do not write down passwords" stupidity is prevalent enough that I can even give references debunking it:
https://www.schneier.com/blog/... [schneier.com]
https://web.archive.org/web/20... [archive.org]
https://krebsonsecurity.com/pa... [krebsonsecurity.com]
Re: (Score:2)
No real security experts has ever tried to stop people from writing down passwords on paper.
Of course they have. Your no true Scotsman fallacy is weak. Also your "debunking" is a bunch of people suggesting that we need systems to store passwords securely and not providing people the tools they need to do it properly. Instead they treat people like idiots suggesting they are only capable of securing pieces of paper.
That doesn't make the advice good. That makes the advice basic. Its kind of like how teach a retard to count to 10 before proposing they study advanced calculus. That doesn't mean that t
An image is worth a thousand bitcoins (Score:3)
Next time, remember that paper is very hard to hack.
Re: (Score:1)
Obvious solution (Score:4, Insightful)
You wouldn't carry your credit card around with the PIN on a post-it note tacked onto it would you?
Don't store personal or sensitive material - recovery codes, photos, recordings or anything of any importance - on your mobile device.
A cellphone is a device that you can lose in an instant. Mobile devices are inherently insecure. Whoever finds it can exploit the data that's on it, if Big Data and other sumbitches don't get at it first through the intartubes.
Does this really need explaining?
Re: (Score:2)
Given that the most commonly used password is 123456, I would not put it past people to write their PIN on their CC. Of course a PIN is completely optional at a POS terminal in the US.
One more reminder (Score:3)
Why I just love Recall
One had it comming (Score:2)
Putting a passphrase seed in an image that naturally gets uploaded to the cloud, if not explicitly, automatically by google and other software is just the equivalent to broadcasting it.
Sorry for people who'd expect any privacy in that. The hard part nowadays is having __any__ photo not being uploaded and OCRed.
And one have still to be aware of ubiquitous security cameras, besides mobile cams, when going in public (or at home) with ANY secret which can be recovered from images (including door keys)