Recent research has revealed a new Android malware targeting mnemonic keys, a crucial component for cryptocurrency wallet recovery.
Disguised as legitimate apps, this malware scans devices for images containing mnemonic phrases. Once installed, it covertly steals personal data like text messages, contacts, and images.
The research has identified over 280 such malicious apps targeting Korean users since January 2024, where the malware uses deceptive tactics like loading screens and redirects to mask its data theft activities.
Malicious actors primarily target Korean mobile users through sophisticated phishing campaigns. These campaigns employ deceptive tactics, such as impersonating trusted entities, to lure victims into clicking on malicious links.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
Once clicked, these links redirect users to counterfeit websites designed to mimic legitimate platforms by tricking users into downloading APK files, which are disguised as harmless applications.
Upon installation, these malicious APKs request excessive permissions, enabling them to steal sensitive user data and execute nefarious activities in the background.
The malware functions as a data exfiltration tool, stealing sensitive information from the user’s device and sending it to a remote server by targeting contacts, SMS messages, photos, and device information.
It acts as a remote agent, receiving and executing commands from the server, which include acknowledging received data, modifying device settings, and sending SMS messages.
The investigation revealed a poorly secured command and control server that exposed sensitive data, including victim images and cryptocurrency wallet details, which allowed unauthorized access to index pages and admin panels, providing insights into the attacker’s operations.
Python and Javascript were used to process stolen data, with OCR techniques employed to extract information from images demonstrating the attacker’s intent to exploit victim data for financial gain.
The malware has significantly evolved its communication and detection evasion strategies, which now utilize WebSocket connections for more efficient and real-time communication with its C2 server, making it harder to detect using traditional HTTP-based tools.
It has also implemented advanced obfuscation techniques, such as string encoding and irrelevant code insertion, to confuse analysts and delay detection.
The malware has expanded its targeting to include the UK, demonstrating a deliberate attempt to broaden its reach and attack new user groups.
According to McAfee, the malware, initially disguised as loan or government apps, has evolved to exploit emotional vulnerabilities by mimicking obituary notices, where the perpetrators use OCR technology to analyze stolen data for financial gain.
Despite its limited prevalence, the malware’s impact is amplified through deceptive SMS messages sent to victims’ contacts, and the team has reported active URLs to content providers for removal.
The discovery of an “iPhone” item in the admin panel hints at a potential iOS variant, emphasizing the need for caution across all platforms.
Users should be wary of installing apps and granting permissions, storing important information securely, and using security software.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar