Photo by Morrowind/Shutterstock.com
A campaign targeting South Korea and the United Kingdom has used more than 280 apps to steal cryptocurrency wallet credentials using Optical Character Recognition (OCR) technology.
These malicious apps disguise themselves as official services from banks, government agencies, streaming platforms, and utilities, but they scour infected devices for sensitive data. This includes text messages, contacts, and stored images, which are sent to remote servers controlled by the attackers, reports ArsTechnica.
Notably, researchers discovered that the apps had been distributed via phishing campaigns and malicious websites; there is no evidence that they were available through the Google Play Store.
Further investigation by cyber security experts revealed that the attackers’ primary goal is to extract cryptocurrency wallet credentials, with a specific focus on mnemonic recovery phrases. Many cryptocurrency wallets use these phrases—a series of random words—as a more user-friendly alternative to complex private keys.
By targeting these recovery phrases, attackers can potentially access and drain users’ crypto holdings.
The malware campaign stands out due to its innovative use of optical character recognition (OCR) technology. OCR allows the conversion of text within images into a format that computers can process.
In this attack, the malware employs OCR to scan and analyse images on compromised devices. This method is particularly concerning for cryptocurrency users who often keep screenshots of their wallet recovery phases.
Using OCR, the malware can identify these crucial mnemonic phrases within stored images and transmit them to the attackers’ remote servers. This sophisticated approach poses a significant threat, as it targets a common practice among cryptocurrency holders who prioritise easy access to their recovery information.
Using weak security configuration on the attackers’ servers, researchers gained an unauthorised panel displaying infected device images alongside the corresponding mnemonic phrases. This clear evidence confirmed the focus on cryptocurrency theft.
The malware’s complexity extends beyond its OCR capabilities. The apps use Python and JavaScript to process stolen data on the server side. Initially, the apps and their control servers were communicated via HTTP. Still, the malware has since evolved to use WebSockets — a more versatile and secure communication channel that is harder for traditional security software to detect.
Using weak security configurations on the attackers’ servers, researchers gained unauthorised access and discovered an administrative panel that displayed images from infected devices alongside the corresponding mnemonic phrases.
In addition to upgrading communication protocols, the attackers have implemented a series of obfuscation techniques to evade detection. This includes encoding strings, adding irrelevant code, and renaming functions and variables to confuse security analysts. These efforts make it more difficult for experts to identify the malicious activity within the app’s code.
Researchers have urged users and organisations to avoid storing sensitive information like recovery phrases or private keys in easily accessible locations on their devices, especially as image-based attacks grow more sophisticated.
In the News: Lumma C2 installing malicious Chrome extension to steal financial data