Found: 280 Android apps using OCR to steal cryptocurrency credentials

Researchers have discovered over 280 malicious Android apps that use optical character recognition to steal cryptocurrency wallet credentials from infected devices.

The apps pose as official apps from banks, government agencies, TV streaming services, and utilities. In fact, they scan infected phones for text messages, contacts, and any stored images, and stealthily send them to remote servers controlled by the app developers. The apps are available from malicious sites and are distributed in phishing messages sent to targets. There is no evidence that any of the apps were available on Google Play.

A high level of refinement

The most notable aspect of the recently discovered malware campaign is that the threat actors behind it are using optical character recognition software in an attempt to extract cryptocurrency wallet credentials displayed in images stored on infected devices. Many wallets allow users to protect their wallets with a series of random words. The mnemonic credentials are easier for most people to remember than the jumble of characters found in the private key. Words are also easier for people to recognize in images.

SangRyol Ryu, a researcher at security firm McAfee, made the discovery after gaining unauthorized access to the servers that were receiving the data stolen by the malicious apps. The access was the result of weak security configurations made when the servers were deployed, allowing Ryu to read pages that were available to server administrators.

One page, shown in the image below, was of particular interest. It showed a list of words at the top and a corresponding image, taken from an infected phone, below. The words visually represented in the image corresponded to the same words.

Enlarge / An admin page with OCR details.

McAfee

“When we reviewed the page, it became clear that a primary goal of the attackers was to obtain the mnemonic recovery phrases for cryptocurrency wallets,” Ryu wrote. “This suggests a heavy focus on gaining access to and potentially depleting victims’ crypto assets.”

Optical character recognition is the process of converting images of typed, handwritten, or printed text into machine-encoded text. OCR has been around for years and has become increasingly common as a way to convert characters captured in images into characters that can be read and manipulated by software.

Ryu continued:

This threat uses Python and Javascript on the server side to process the stolen data. Specifically, images are converted to text using optical character recognition (OCR) techniques, which are then organized and managed via an administrative panel. This process suggests a high level of sophistication in the processing and use of the stolen information.

People who fear they may have installed one of the malicious apps can consult McAfee's message for a list of associated websites and cryptographic hashes.

The malware has received multiple updates over time. Where it once used HTTP to communicate with control servers, it now connects via WebSockets, a mechanism that is harder for security software to parse. WebSockets have the added benefit of being a more versatile channel.

Developers have also updated the apps to better obfuscate their malicious functionality. Obfuscation methods include encoding strings in the code so that they cannot be easily read by humans, adding irrelevant code, and renaming functions and variables, which confuses analysts and makes detection more difficult. While the malware is primarily confined to South Korea, it has recently begun spreading in the United Kingdom.

“This development is significant because it shows that the threat actors are expanding their focus both demographically and geographically,” Ryu wrote. “The move to the UK indicates a deliberate attempt by the attackers to expand their operations, likely targeting new user groups with localized versions of the malware.”