Update, Sept. 09, 2024: This story, originally published Sept. 07, includes details of new AI-powered Google Play Protect live threat detection.
Security researchers have uncovered a new and dangerous Android hacking campaign, and this one is also highly inventive. Targeting a 12-word phrase, the SpyAgent malware disguises itself as one of 280 apps so far and uses optical character recognition technology during the devious attacks. Fall victim to a successful compromise, and it could be very costly as these hackers are after your money.
The Android SpyAgent Hack Employs Innovative New Attack Methodology
The McAfee Mobile Research Team recently identified more than 280 applications being used as launchpads for SpyAgent malware, which has been actively targeting Android users since the start of the year. These fake apps, pretending to be everything from banking to streaming utilities, will use distraction techniques such as “endless loading screens, unexpected redirects, or brief blank screens to hide their true activities,” report author SangRyol Ryu, said.
As it turns out, the true activity is to gather together all your SMS text messages, contacts and, importantly as I’ll come to momentarily, every image you have stored on your Android device. All of this data is then sent to a remote server where the clever, dangerous and ultimately potentially costly work begins.
These fake apps are usually the initial payload of a phishing campaign aimed at getting users to an apparently genuine but actually malicious website where they are tricked into making the download. The trickery doesn’t stop there, of course, as what they are downloading is an Android Package Kit file rather than a genuine app. When installed, this requests permissions to access SMS messages, contacts and data storage. Gaining access to your photos is the primary objective as these are then scanned using OCR technology, but don’t worry, the hackers aren’t after your private, nudge nudge, wink wink, images. What they are looking for is a mnemonic key.
What’s a mnemonic key, you ask? Simply put, this is a 12-word passphrase, although they can reach 24 words in total. A passphrase for what? Your cryptocurrency wallet, or rather the recovery of your crypto wallet. “This suggests a major emphasis on gaining entry to and possibly depleting the crypto assets of victims,” Ryu said.
Mitigating The SpyAgent Android Threat
We’ve been talking about SpyAgent as an Android threat, which is certainly what it is currently. However, Ryu said that the McAfee researcher have found an item that was labeled as “iPhone” within the admin panel code which suggests that the developers of the malware could be attempting to target iOS users in a future version. “While no direct evidence of an iOS-compatible version has been found yet,” Ryu said, “the possibility of its existence is genuine.”
Regardless, the mitigation is the same as always: stay aware of the phishing threat, only install apps from official app stores, don’t follow links in unsolicited emails or text messages, and don’t grant permissions for any app that appears excessive, unwarranted or intrusive in any way.
Google advises Android users to employ Google Play Protect To check both your apps and device for harmful behavior. While Google Play Protect is enabled by default, Google recommends that users check to ensure it hasn’t been disabled. To do this, open the Google Play app, tap your profile icon, tap settings, then ensure scan apps with Play Protect is toggled on.
Coming To An Android Near You: Google Play Protect Live Threat Detection
Android Authority has published a comprehensive guide to all the confirmed and leaked features that the next release of Android, Android 15, will bring. I heartily recommend reading this. because Among these are some pretty important security and privacy measures that all users should be aware of. Many of these have already been detailed by Google itself, with Google Play Protect live threat detection being perhaps the most relevant to readers of this article. Dave Kleidermacher, vice president of engineering, Android security and privacy, said that the current incarnation of Google Play Protect scans an astonishing 200 billion Android apps every single day. To put that into even more context, doing so helps to protect more than 3 billion Android users safe from malware attacks and malicious applications.
“We are expanding Play Protect’s on-device AI capabilities with Google Play Protect live threat detection,” Kleidermacher said, “to improve fraud and abuse detection against apps that try to cloak their actions.” In order to do this, Google’s Play Protect on-device AI will “analyze additional behavioral signals related to the use of sensitive permissions and interactions with other apps and services.” If any of these suspicious behaviors are detected, then the Google Play Protect service will send those apps to Google so as to be reviewed in further detail. Once confirmed as malicious, then the app will either be disabled completely or users warned of the threat depending on the nature and level of that behavior. If you are concerned about the privacy implications of on-device AI scanning such as this, Kleidermacher said that it is carried out “in a privacy-preserving way” involving Google’s Private Compute Core, “which allows us to protect users without collecting data.”
