2024-09-05 SPYAGENT Android Malware Stealing Crypto Credentials via Image Recognition / OCR Samples

 

2024-09-05 McAfee New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition 

McAfee Labs' analysis of the "SpyAgent" Android malware revealed a sophisticated use of Optical Character Recognition (OCR) for extracting sensitive information, particularly mnemonic keys for cryptocurrency wallets.

The malware captures images stored on infected devices and uploads them to a remote Command and Control (C2) server.

Server-side OCR processes these images to extract text, specifically targeting mnemonic recovery phrases. This extracted data is critical for accessing and potentially stealing cryptocurrency assets.

Once the OCR extracts the text, the information is organized and managed through an administrative panel on the C2 server. This indicates a high level of sophistication in handling the stolen data, allowing attackers to efficiently process and utilize the extracted information.

Download

Download. Email me if you need the password scheme.

• Mobile Malware - Dropbox Storage
• Mobile Malware - AWS S3 Storage

2024-08-05 Android CHAMELEON Samples

2024-08-05 Chameleon is now targeting employees: Masquerading as a CRM app 

2023-12-23 Android Banking Trojan Chameleon can now bypass any Biometric Authentication

Canada (July 2024): Chameleon disguised itself as a Customer Relationship Management (CRM) app, specifically targeting employees of a Canadian restaurant chain that operates internationally. The aim was to infiltrate business banking accounts by exploiting the employees' roles, which likely involve handling sensitive financial information through CRM systems.

• UK and Italy (January 2023): The Trojan impersonated legitimate applications such as Google Chrome and government-related apps to deceive users and infiltrate their devices. This tactic significantly increases the likelihood of successful infections by leveraging the trust users place in these widely recognized apps.

Payload Delivery and Exploitation:

• Multi-Stage Process: In the July 2024 campaign, Chameleon used a dropper capable of bypassing Android 13+ security restrictions. The dropper tricked users into reinstalling a fake CRM app, which secretly deployed the Chameleon payload, allowing it to operate unnoticed.
• Zombinder Framework: In the January 2023 campaign, Chameleon was distributed via the Zombinder framework, which deployed both Chameleon and Hook malware families through a sophisticated two-stage payload process. This method utilized Android’s PackageInstaller to facilitate the installation of malicious components.

Advanced Features and Exploitation Techniques:

• Accessibility Service Exploitation: Chameleon leverages the Accessibility Service on Android devices to carry out Device Takeover (DTO) attacks. This service is crucial for the Trojan's ability to log keystrokes, harvest credentials, and execute commands that allow it to control the device remotely.
• Bypassing Android 13 Restrictions: The Trojan adapts to the latest Android 13 restrictions by displaying HTML pages that guide users to enable the Accessibility Service, thereby circumventing security features designed to block such malware.
• Biometric Disruption: A new feature in the updated variant allows Chameleon to bypass biometric authentication, forcing a fallback to PIN-based authentication. This enables the malware to capture PINs and passwords, which it can use to unlock the device and further exploit the victim's data

Download

Download. Email me if you need the password scheme.