Researchers have discovered more than 280 malicious Android apps that use optical character recognition to steal cryptocurrency wallet credentials from infected devices.
The apps masquerade as official apps for banks, government services, TV streaming services and utilities. In reality, they scour infected phones for text messages, contacts and any stored images, then surreptitiously send them to remote servers controlled by the app developers. The apps are available from malicious websites and distributed via phishing messages sent to targets. There is no indication that any of the apps are available through Google Play.
Highly complex
What’s most notable about the newly discovered malware campaign is that the threat actors behind it are using optical character recognition software to try to extract cryptocurrency wallet credentials displayed in images stored on infected devices. Many wallets allow users to protect their wallets with a series of random words. For most people, mnemonic credentials are easier to remember than the jumbled characters that appear in private keys. The words in the images are also easier for humans to recognize.
SangRyol Ryu, a researcher at security firm McAfee, discovered this after gaining unauthorized access to a server that received data stolen by the malicious application. The access was due to a weak security configuration when the server was deployed. With this, Ryu was able to read pages available to server administrators.
One of the pages shown in the image below is particularly interesting. A list of words is displayed near the top of the page, and below it is a corresponding image taken from an infected phone. The words visually displayed in the image correspond to the same words.
“After inspecting the page, it is clear that the attacker’s primary goal is to obtain the mnemonic recovery phrase for cryptocurrency wallets,” Ryu wrote. “This suggests that their primary focus is on obtaining and potentially draining the victim’s crypto assets.”
Optical character recognition is the process of converting images of typed, handwritten, or printed text into machine-encoded text. OCR has been around for many years and is becoming increasingly common for converting characters captured in images into characters that software can read and manipulate.
Ryu continued:
The threat uses Python and Javascript on the server side to process the stolen data. Specifically, the threat uses optical character recognition (OCR) technology to convert images into text, which is then organized and managed through the admin panel. This process shows that the threat is very sophisticated in processing and exploiting stolen information.
People who are concerned that they may have installed a malicious app should check out the McAfee post for a list of relevant websites and cryptographic hashes.
The malware has been updated several times over time. It used to communicate with its control server using HTTP, but now connects via WebSockets, a mechanism that is difficult for security software to parse. WebSockets has the added benefit of being a more universal channel.
The developers have also updated the apps to better obfuscate their malicious functionality. Obfuscation methods include encoding strings in the code to make them less readable by humans, adding irrelevant code, and renaming functions and variables, all of which confuse analysts and make detection more difficult. While the malware has been primarily confined to South Korea, it has recently begun to spread within the United Kingdom.
“This development is significant as it shows that the threat actor is expanding its demographic and geographic reach,” Ryu wrote. “Entering the UK suggests the attackers are interested in expanding their operations, perhaps aiming to attract new user bases with localized versions of the malware.”