New Android Spyware As TV Streaming App Steals Sensitive Data From Devices

Recent research has revealed a new Android malware targeting mnemonic keys, a crucial component for cryptocurrency wallet recovery.

Disguised as legitimate apps, this malware scans devices for images containing mnemonic phrases. Once installed, it covertly steals personal data like text messages, contacts, and images. 

The research has identified over 280 such malicious apps targeting Korean users since January 2024, where the malware uses deceptive tactics like loading screens and redirects to mask its data theft activities.

Timeline of this campaign

Malicious actors primarily target Korean mobile users through sophisticated phishing campaigns. These campaigns employ deceptive tactics, such as impersonating trusted entities, to lure victims into clicking on malicious links.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

Once clicked, these links redirect users to counterfeit websites designed to mimic legitimate platforms by tricking users into downloading APK files, which are disguised as harmless applications. 

Upon installation, these malicious APKs request excessive permissions, enabling them to steal sensitive user data and execute nefarious activities in the background.

Fake Websites

The malware functions as a data exfiltration tool, stealing sensitive information from the user’s device and sending it to a remote server by targeting contacts, SMS messages, photos, and device information. 

It acts as a remote agent, receiving and executing commands from the server, which include acknowledging received data, modifying device settings, and sending SMS messages.

The investigation revealed a poorly secured command and control server that exposed sensitive data, including victim images and cryptocurrency wallet details, which allowed unauthorized access to index pages and admin panels, providing insights into the attacker’s operations. 

OCR details on Admin page

Python and Javascript were used to process stolen data, with OCR techniques employed to extract information from images demonstrating the attacker’s intent to exploit victim data for financial gain.

The malware has significantly evolved its communication and detection evasion strategies, which now utilize WebSocket connections for more efficient and real-time communication with its C2 server, making it harder to detect using traditional HTTP-based tools. 

It has also implemented advanced obfuscation techniques, such as string encoding and irrelevant code insertion, to confuse analysts and delay detection.

The malware has expanded its targeting to include the UK, demonstrating a deliberate attempt to broaden its reach and attack new user groups.

According to McAfee, the malware, initially disguised as loan or government apps, has evolved to exploit emotional vulnerabilities by mimicking obituary notices, where the perpetrators use OCR technology to analyze stolen data for financial gain. 

Despite its limited prevalence, the malware’s impact is amplified through deceptive SMS messages sent to victims’ contacts, and the team has reported active URLs to content providers for removal. 

The discovery of an “iPhone” item in the admin panel hints at a potential iOS variant, emphasizing the need for caution across all platforms.

Users should be wary of installing apps and granting permissions, storing important information securely, and using security software. 

Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar

Aman Mishra

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

2 hours ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

14 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

18 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

18 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

19 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

21 hours ago