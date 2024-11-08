Attacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets to work.

Its target? Screenshots of the 12-24-word recovery phrases used for cryptocurrency wallets. Since these phrases are too long to easily remember, users often take screenshots for future reference. If attackers compromise these screen captures, they can recover crypto wallets to the device of their choosing, allowing them to steal all the digital currency they contain. And once funds are gone, they’re gone — the nature of cryptocurrency protocols means that when transactions are completed, they can’t be reversed. If money is sent to the wrong address, senders must ask recipients to create and complete a return transaction.

If users screenshot their recovery phrase and have it stolen by SpyAgent, attackers need only recover the wallet and transfer funds to the destination of their choice.

The malware has been making the rounds in South Korea, with more than 280 APKs affected, according to Coin Telegraph. These applications are distributed outside the official Google Play store, often using SMS messages or social media posts to capture user interest. Some of the infected apps mimic South Korean or UK government services, while others appear to be dating or adult content applications.

There are also indications that attackers may be preparing to expand into the United Kingdom, which could, in turn, lead to more widespread compromise. And while the malware is currently Android-only, there are signs that an iOS version may be in development.