New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition

Date: 09/09/2024

Severity: Medium

Summary

This Android malware skillfully masquerades as a variety of legitimate apps, including those for banking, government services, TV streaming, and utilities. Once installed, these deceptive apps covertly collect and transmit your text messages, contacts, and store images to remote servers. They frequently distract users with continuous loading screens, unexpected redirects, or brief blank screens to conceal their malicious activities.

Indicators of Compromise (IOC) List

URL/Domain

gf79.org

goodapps.top

make69.info

like1902.xyz

oktube999.info

gov24.me

etr.lat

mylove777.org

krgov24.top

top1114.online

ytube888.info

krgoodapp.top

ahd.lat

allsdy999.org

gov24.top

messtube999.info

mtube888.info

Hash

8bbcfe8555d61a9c033811892c563f250480ee6809856933121a3e475dd50c18

d340829ed4fe3c5b9e0b998b8a1afda92ca257732266e3ca91ef4f4b4dc719f8

34c2a314dcbb5230bf79e85beaf03c8cee1db2b784adf77237ec425a533ec634

f7c4c6ecbad94af8638b0b350faff54cb7345cf06716797769c3c8da8babaaeb

7d346bc965d45764a95c43e616658d487a042d4573b2fdae2be32a0b114ecee6

0e778b6d334e8d114e959227b4424efe5bc7ffe5e943c71bce8aa577e2ab7cdb

5b634ac2eecc2bb83c0403edba30a42cc4b564a3b5f7777fe9dada3cd87fd761

020c51ca238439080ec12f7d4bc4ddbdcf79664428cd0fb5e7f75337eff11d8a

26d761fac1bd819a609654910bfe6537f42f646df5fc9a06a186bbf685eef05b

789374c325b1c687c42c8a2ac64186c31755bfbdd2f247995d3aa2d4b6c1190a

373e5a2ee916a13ff3fc192fb59dcd1d4e84567475311f05f83ad6d0313c1b3b

1bff1823805d95a517863854dd26bbeaa7f7f83c423454e9abd74612899c4484

4cf35835637e3a16da8e285c1b531b3f56e1cc1d8f6586a7e6d26dd333b89fcf

3d69eab1d8ce85d405c194b30ac9cc01f093a0d5a6098fe47e82ec99509f930d

94aea07f38e5dfe861c28d005d019edd69887bc30dcc3387b7ded76938827528

0ca26d6ed1505712b454719cb062c7fbdc5ae626191112eb306240d705e9ed23

19060263a9d3401e6f537b5d9e6991af637e1acb5684dbb9e55d2d9de66450f2

149bd232175659434bbeed9f12c8dd369d888b22afaf2faabc684c8ff2096f8c

1d9afa23f9d2ab95e3c2aecbb6ce431980da50ab9dea0d7698799b177192c798

f9509e5e48744ccef5bfd805938bf900128af4e03aeb7ec21c1e5a78943c72e7

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

URL/Domain

userdomainname like "gf79.org" or url like "gf79.org" or userdomainname like "goodapps.top" or url like "goodapps.top" or userdomainname like "make69.info" or url like "make69.info" or userdomainname like "like1902.xyz" or url like "like1902.xyz" or userdomainname like "oktube999.info" or url like "oktube999.info" or userdomainname like "gov24.me" or url like "gov24.me" or userdomainname like "etr.lat" or url like "etr.lat" or userdomainname like "mylove777.org" or url like "mylove777.org" or userdomainname like "krgov24.top" or url like "krgov24.top" or userdomainname like "top1114.online" or url like "top1114.online" or userdomainname like "ytube888.info" or url like "ytube888.info" or userdomainname like "krgoodapp.top" or url like "krgoodapp.top" or userdomainname like "ahd.lat" or url like "ahd.lat" or userdomainname like "allsdy999.org" or url like "allsdy999.org" or userdomainname like "gov24.top" or url like "gov24.top" or userdomainname like "messtube999.info" or url like "messtube999.info" or userdomainname like "mtube888.info" or url like "mtube888.info"

Hash

sha256hash IN ("8bbcfe8555d61a9c033811892c563f250480ee6809856933121a3e475dd50c18","d340829ed4fe3c5b9e0b998b8a1afda92ca257732266e3ca91ef4f4b4dc719f8","34c2a314dcbb5230bf79e85beaf03c8cee1db2b784adf77237ec425a533ec634","f7c4c6ecbad94af8638b0b350faff54cb7345cf06716797769c3c8da8babaaeb","7d346bc965d45764a95c43e616658d487a042d4573b2fdae2be32a0b114ecee6","0e778b6d334e8d114e959227b4424efe5bc7ffe5e943c71bce8aa577e2ab7cdb","5b634ac2eecc2bb83c0403edba30a42cc4b564a3b5f7777fe9dada3cd87fd761","020c51ca238439080ec12f7d4bc4ddbdcf79664428cd0fb5e7f75337eff11d8a","26d761fac1bd819a609654910bfe6537f42f646df5fc9a06a186bbf685eef05b","789374c325b1c687c42c8a2ac64186c31755bfbdd2f247995d3aa2d4b6c1190a","373e5a2ee916a13ff3fc192fb59dcd1d4e84567475311f05f83ad6d0313c1b3b","1bff1823805d95a517863854dd26bbeaa7f7f83c423454e9abd74612899c4484","4cf35835637e3a16da8e285c1b531b3f56e1cc1d8f6586a7e6d26dd333b89fcf","3d69eab1d8ce85d405c194b30ac9cc01f093a0d5a6098fe47e82ec99509f930d","94aea07f38e5dfe861c28d005d019edd69887bc30dcc3387b7ded76938827528","0ca26d6ed1505712b454719cb062c7fbdc5ae626191112eb306240d705e9ed23","19060263a9d3401e6f537b5d9e6991af637e1acb5684dbb9e55d2d9de66450f2","149bd232175659434bbeed9f12c8dd369d888b22afaf2faabc684c8ff2096f8c","1d9afa23f9d2ab95e3c2aecbb6ce431980da50ab9dea0d7698799b177192c798","f9509e5e48744ccef5bfd805938bf900128af4e03aeb7ec21c1e5a78943c72e7")

Reference:

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-android-spyagent-campaign-steals-crypto-credentials-via-image-recognition/

New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments