SpyAgent¶
SpyAgent is an Android spyware campaign using OCR (optical character recognition) to steal cryptocurrency wallet recovery phrases from device photos. McAfee discovered the campaign in September 2024, identifying 280+ fake apps targeting Korean users since January 2024. The apps impersonate banking, government, streaming, and utility applications to gain gallery access, then scan stored photos for screenshots containing cryptocurrency mnemonic seed phrases. McAfee's investigation also revealed misconfigured attacker infrastructure, exposing admin panels, stolen data, and operational details.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | January 2024 |
| Last Seen | Active |
| Status | Active, expanding |
| Type | Cryptocurrency stealer, spyware |
| Attribution | Unknown; infrastructure suggests organized operation |
| Aliases | None known |
Vendor Names¶
| Vendor | Name |
|---|---|
| McAfee | Android/SpyAgent |
| Kaspersky | HEUR:Trojan-Spy.AndroidOS.SpyAgent |
| AhnLab | Trojan/Android.SpyAgent |
Origin and Lineage¶
SpyAgent is independently developed. The OCR-based crypto theft technique is shared with SparkCat, which Kaspersky documented targeting a broader audience via Google Play and App Store. The two operations appear to be separate actors who independently converged on the same attack technique. SpyAgent focuses narrowly on Korean users through sideloaded apps, while SparkCat uses supply chain distribution via official stores.
Distribution¶
SpyAgent distributes through phishing SMS and social media, directing users to fake download pages:
| Vector | Details |
|---|---|
| Smishing | SMS with links to fake app download pages |
| Social media | Phishing links on Korean social platforms |
| Fake websites | Landing pages impersonating legitimate services |
App Impersonation¶
280+ fake apps identified, impersonating:
| Category | Examples |
|---|---|
| Banking | Korean bank apps, financial calculators |
| Government | Korean government service apps |
| Streaming | Media and entertainment apps |
| Utilities | Photo editors, storage managers, delivery tracking |
All apps are distributed through sideloading (APK download from fake websites), not through Google Play.
Capabilities¶
| Capability | Description |
|---|---|
| OCR scanning | Scans device gallery photos for crypto seed phrases |
| Photo exfiltration | Uploads photos containing detected seed phrases |
| SMS interception | Reads and forwards SMS including OTPs |
| Contact theft | Exfiltrates contact list |
| Device info | Hardware identifiers, installed apps |
| Gallery monitoring | Watches for new screenshots added to gallery |
OCR Crypto Theft¶
The core theft mechanism:
- App requests storage/media permissions during installation
- Scans all images in device gallery using on-device OCR
- Applies pattern matching against BIP-39 seed phrase word patterns
- Images matching seed phrase patterns are uploaded to C2
- Continues monitoring gallery for new screenshots
Users commonly screenshot their wallet recovery phrases during initial crypto wallet setup. SpyAgent targets these screenshots to extract the 12-24 word recovery phrases that provide full access to cryptocurrency wallets.
Technical Details¶
OCR Implementation¶
SpyAgent uses on-device text recognition to process gallery images:
- Processes images locally on the device
- Keyword matching against common seed phrase patterns and BIP-39 wordlist
- Selective upload (only matching images, not entire gallery)
- Multiple OCR passes for different image orientations and text sizes
Exposed Infrastructure¶
McAfee discovered misconfigured attacker servers with exposed admin panels revealing:
| Exposed Data | Details |
|---|---|
| Admin panels | Web interfaces for managing stolen data |
| Victim databases | Stolen SMS, contacts, and photos from compromised devices |
| Configuration files | Server-side logic for processing OCR results |
| Statistics | Infection counts and data collection metrics |
The exposed infrastructure provided unusual visibility into the operation's scale and methodology. The admin panels showed organized data management, suggesting a structured criminal operation rather than opportunistic individual actors.
C2 Communication¶
- HTTP-based communication
- Stolen data uploaded via multipart POST requests
- Server-side processing of uploaded images with additional OCR verification
- Simple command structure for app configuration and data exfiltration parameters
Target Regions¶
| Region | Details |
|---|---|
| South Korea | Primary and near-exclusive target |
The campaign targets Korean cryptocurrency holders specifically. All fake apps use Korean language, impersonate Korean services, and are distributed through Korean-language phishing channels.
Notable Campaigns¶
2024, January: SpyAgent campaign begins deploying fake apps targeting Korean users. 280+ unique app variants identified over the campaign's lifetime.
2024, September: McAfee publishes SpyAgent analysis, documenting the OCR-based seed phrase theft, 280+ fake apps, and exposed attacker infrastructure. The research reveals the operational scale and confirms crypto wallet theft as the primary objective.