In a concerning development for Android users, researchers have identified over 280 malicious applications designed to exploit optical character recognition (OCR) technology to pilfer cryptocurrency wallet credentials from compromised devices. These deceptive applications masquerade as legitimate offerings from banks, government agencies, streaming services, and utility providers, all while quietly harvesting sensitive information such as text messages, contacts, and images stored on infected phones. Notably, these malicious apps have not been found on Google Play, indicating their distribution through phishing messages and dubious websites.
A high level of sophistication
The sophistication of this malware campaign is particularly alarming. The perpetrators are leveraging OCR software to extract cryptocurrency wallet credentials that may be displayed in images saved on infected devices. Many cryptocurrency wallets utilize mnemonic phrases—strings of random words that are easier for users to remember compared to complex private keys. This method of credential storage makes it simpler for attackers to target and exploit vulnerabilities.
SangRyol Ryu, a researcher at McAfee, uncovered this alarming trend after gaining unauthorized access to the servers that received data stolen by these malicious applications. This breach was facilitated by inadequate security configurations during the server deployment. Ryu’s investigation revealed an administrative page containing a list of mnemonic words alongside corresponding images sourced from infected devices, highlighting the attackers’ intent to capture these recovery phrases.
McAfee
“Upon examining the page, it became clear that a primary goal of the attackers was to obtain the mnemonic recovery phrases for cryptocurrency wallets,” Ryu noted. “This suggests a major emphasis on gaining entry to and possibly depleting the crypto assets of victims.”
OCR technology, which has been in existence for years, enables the conversion of images containing typed, handwritten, or printed text into machine-readable text. This capability has become increasingly prevalent, allowing software to interpret and manipulate text captured in images.
“This threat utilizes Python and Javascript on the server-side to process the stolen data. Specifically, images are converted to text using optical character recognition (OCR) techniques, which are then organized and managed through an administrative panel. This process suggests a high level of sophistication in handling and utilizing the stolen information,” Ryu explained.
For individuals concerned about the possibility of having installed one of these malicious applications, McAfee has provided a list of associated websites and cryptographic hashes for reference. The malware has undergone several updates, evolving from using HTTP for communication with control servers to employing WebSockets, a more sophisticated and versatile communication channel that poses challenges for security software.
Moreover, developers of these malicious applications have enhanced their obfuscation techniques to conceal their harmful functionalities. This includes encoding strings within the code, adding irrelevant code, and renaming functions and variables, all of which complicate detection efforts for analysts. While the malware has primarily targeted South Korea, its recent emergence in the UK signals a troubling expansion of its reach.
“This development is significant as it shows that the threat actors are expanding their focus both demographically and geographically,” Ryu remarked. “The move into the UK points to a deliberate attempt by the attackers to broaden their operations, likely aiming at new user groups with localized versions of the malware.”
