[McAfee, Inc.] McAfee discovers new Android malware “SpyAgent” *McAfee Corporation*
Press release: September 19, 2024
**
McAfee discovers new Android malware “SpyAgent”
*Mainly targeted at Korean users, stealing crypto asset authentication information using image recognition function*
McAfee Inc. (Headquarters: Chiyoda-ku, Tokyo), which provides online security products, scans the image on the device and uses the mnemonic key (12), which is used to restore apps and software that manage crypto assets. aim for (English word for)
announced the discovery of a new type of mobile malware for Android called SpyAgent.
This Android malware (a collective term for software or code designed to perform malicious actions) has been hacking away at a variety of trusted apps, from banking and government services to TV streaming and public-facing services. is disguised as. Once installed, these fake apps secretly collect your text messages, contacts and all stored images and send them to a remote server. During this time, users are distracted by lengthy loading screens, unexpected redirects, and blank screens.
McAfee has identified over 280 fake apps involved in this scheme. 2024 Since the beginning of the year, Korean users have been increasingly targeted. McAfee’s mobile security products keep an eye out for this threat, called SpyAgent, to help consumers keep their devices safe. Figure 1: A series of timelines related to the occurrence of “SpyAgent” *Mechanism of infection*
Mobile malware targeting users in South Korea is primarily spread through sophisticated phishing campaigns. These fake campaigns use text messages and direct messages on social media to send harmful links. The attackers behind the messages often pretend to be organizations or trusted people to trick users into clicking on a link. Once the link is clicked, it will take you to a fake website that mimics the appearance of the legitimate site. These fake sites usually ask you to download an app, which then installs malware on your device. It’s important to be cautious and check the authenticity of messages and links before clicking.
Figure 2: Display screen of fake site
When the user clicks the link, the APK (Android Package)
Kit) file. Although this file looks like a legitimate app, it is actually malicious software. Once the APK is downloaded, users will be asked to install the app. During installation, the app accesses sensitive personal information such as SMS messages, contacts, storage, and requests permission to run in the background. Permissions are often presented as necessary for apps to function properly, but in reality, they are used to compromise user privacy and security. Figure 3: App installation and permission request
*Malware capabilities and behavior*
Once the app is installed and launched, sensitive user information is stolen and sent to a remote server controlled by the attacker.
Type of data covered:
– *Contacts:* User’s entire contacts can be extracted and used for further fraud or spreading malware.
– *SMS messages:*
All captures of SMS messages containing private two-factor authentication codes and other sensitive information are sent to the attacker.
– * photograph: *
Any images stored on the device will be uploaded to the attacker’s servers. It may also include personal photos and other sensitive images.
– *Device information:*
Details about the device itself such as OS version and phone number are stolen. Device information helps attackers more effectively customize their malicious activities.
* Investigating the command and control server (C2) *
McAfee’s research team discovered several important facts.
*1.
Unsecure C2 (or C&C) servers (command and control servers used by cyber attackers to issue commands to malware and receive stolen information):*
It was discovered that several C2 servers had weak security settings that allowed unauthorized access to certain index pages and files without requiring credentials. This security flaw allows us to take a deeper look into the functionality of the server and the type of data collected.
Investigation revealed that the server’s root directory contained multiple folders, each organized in a different manner, such as imitating a banking institution or postal service.
Figure 4: The root index page published before the site was shut down. Due to a server configuration error, not only internal information was unintentionally disclosed, but also the leaked personal information of the victim was made public. In the ‘uploads’ directory, a separate folder containing photos collected from victims was found,
highlighting the seriousness of the data breach.
Figure 5: List of images from one of the victims of the “aepost” campaign before the site was taken down.
* 2. Administrator page: *
Following the published index page will lead you to the administration page designed to manage the victim. These pages displayed a list of devices and displayed device information and various actions that could be controlled. As the number of victims increases, so does the list of devices.
Figure 6: Administrator control panel
* 3. Targeting apps and software that manage crypto assets: * Examination of the admin screen revealed that the attacker’s main goal was to obtain the mnemonic key for the crypto app. This suggests that they are focused on accessing and fraudulently exploiting victims’ crypto assets.
Figure 7: OCR details on management screen
* 4. Data processing and management: *
The malware utilizes Python and JavaScript on the server side to process the stolen data. Specifically, images are converted to text using optical character recognition (OCR) technology, which is then organized and managed through an admin panel. This process
demonstrates the sophistication of processing and utilization of stolen information.
Figure 8: Server-side OCR code
* 5. Evolution of connectivity *
Originally, malware communicated with C2 servers through simple HTTP requests. While effective, this method was relatively easy to track and block by security tools. Malware is now employing WebSocket connections for communication as a new and important fraud technique. This upgrade enables efficient, real-time, two-way communication with C2 servers, allowing them to evade detection by traditional HTTP-based network monitoring tools. At the same time, it has become more difficult for security researchers to analyze traffic and intercept malicious communications.
Malware obfuscation techniques have also improved significantly, making detection even more complex for security software and researchers. APK obfuscation involves hiding malicious code using techniques such as string encoding, inserting extraneous code, and renaming functions and variables. These methods not only cause confusion, but also slow down the detection process and camouflage the true purpose of the malware.
Additionally, malware applications and targeting strategies are expanding. Recent research shows that malware is becoming more widespread in the UK. This suggests that the attackers are looking to expand their reach demographically and geographically, likely targeting new users with localized versions of the malware.
* summary *
The rapid evolution of malware highlights the ever-changing and sophisticated nature of today’s cyber threats. Initially masquerading as apps for lending money or government services, they have now begun to exploit people’s emotions by masquerading as personally beneficial notifications. The research team found that attackers are leveraging OCR technology to analyze stolen data and misuse it for financial gain. As malware evolves and becomes more complex, it becomes increasingly difficult to predict its next move. Cybercriminals are constantly improving their methods to better infiltrate and manipulate user environments, and the dangers posed by these threats only increase over time.
Malware expands its reach when it uses the victim’s contacts to send fraudulent SMS messages. Recipients are more likely to trust these phishing messages because they appear to be coming from a familiar contact. For example, a notification that appears to come from a friend’s number is more likely to be perceived as genuine, and the recipient is more likely to be complicit in the scam, especially compared to a phishing message from an unknown source. .
These techniques extend the layers of deception and greatly increase the effectiveness and stealth (conducted in secret) of the attack. Early detection of such malware is critical to preventing its spread, minimizing potential damage, and limiting further spread. McAfee took proactive action against these movements by reporting them to the content providers associated with the active URLs.
The malware’s next stage of development is likely to target iOS users, as an item labeled “iPhone” was found in the admin panel. Although no direct evidence of an iOS-compatible version has been found yet, its existence is certainly possible. McAfee has previously observed data theft activity affecting both Android and iOS platforms, suggesting that cyberattackers may be working on malware for iOS.
While iOS has a reputation for security, apps can
This is especially concerning because there are still ways to install malicious apps outside of the Store. This potential shift to iOS highlights the need for vigilance on all mobile platforms.
In such situations, it is extremely important for users to be cautious about their actions, including installing apps and granting
permissions. It’s best to keep important information safe and isolated from your devices. Security software has become more than just a recommendation, it’s a necessity to protect your devices. The McAfee Mobile Research team remains vigilant and has robust security measures in place to combat these advanced threats.
McAfee Mobile Security products are designed to detect and protect against malware as well as other unwanted software. For more information, visit the McAfee Mobile Security website (
Please see https://www.mcafee.com/ja-jp/antivirus/mobile.html
*About McAfee*
McAfee is a global leader in online protection for consumers and small businesses. With a focus on protecting people, not just devices, McAfee’s consumer and small business solutions adapt to the needs of users in an always-on world, delivering timely and secure solutions for families, communities, and businesses. We help users live securely with comprehensive, intuitive solutions that protect their.
For more information, please visit https://www.mcafee.com/ja-jp/index.html. *McAfee, McAfee, and the McAfee logo refer to McAfee, a U.S. corporation, in the United States and other countries.
Trademarks or registered trademarks of LLC or its affiliated companies. **