{
	"id": "eee79786-abcd-484a-91aa-003f76c1f660",
	"created_at": "2026-04-06T00:18:19.071947Z",
	"updated_at": "2026-04-10T03:30:33.414203Z",
	"deleted_at": null,
	"sha1_hash": "79c718a7570db6478484ceb4669fb0902c0436d0",
	"title": "SpyAgent malware targets crypto wallets, stealing screenshots",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 41796,
	"plain_text": "SpyAgent malware targets crypto wallets, stealing screenshots\r\nBy Doug Bonderud\r\nPublished: 2024-11-08 · Archived: 2026-04-05 18:24:34 UTC\r\nA new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes.\r\nUsing optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often\r\nstored in screenshots on user devices.\r\nHere’s how to dodge the bullet.\r\nAttackers shooting their (screen) shot\r\nAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download\r\nseemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets to work.\r\nIts target? Screenshots of the 12-24-word recovery phrases used for cryptocurrency wallets. Since these phrases\r\nare too long to easily remember, users often take screenshots for future reference. If attackers compromise these\r\nscreen captures, they can recover crypto wallets to the device of their choosing, allowing them to steal all the\r\ndigital currency they contain. And once funds are gone, they’re gone — the nature of cryptocurrency protocols\r\nmeans that when transactions are completed, they can’t be reversed. If money is sent to the wrong address, senders\r\nmust ask recipients to create and complete a return transaction.\r\nIf users screenshot their recovery phrase and have it stolen by SpyAgent, attackers need only recover the wallet\r\nand transfer funds to the destination of their choice.\r\nThe malware has been making the rounds in South Korea, with more than 280 APKs affected, according to Coin\r\nTelegraph. These applications are distributed outside the official Google Play store, often using SMS messages or\r\nsocial media posts to capture user interest. Some of the infected apps mimic South Korean or UK government\r\nservices, while others appear to be dating or adult content applications.\r\nThere are also indications that attackers may be preparing to expand into the United Kingdom, which could, in\r\nturn, lead to more widespread compromise. And while the malware is currently Android-only, there are signs that\r\nan iOS version may be in development.\r\nBeyond cryptocurrency: Potential risks of sneaky screenshot steals\r\nWhile cryptocurrency recovery phrases are the top priority for SpyAgent, using OCR tech means that any picture\r\nis up for grabs. For example, if business devices have screenshots of usernames and passwords for databases or\r\nanalytics tools, company assets could be at risk. Consider a manager with access to multiple secure services, each\r\nrequiring a unique password to help reduce compromise risk. In an effort to keep passwords safe but still have\r\nthem available on-demand, our well-meaning manager makes a list and takes a screenshot of their different\r\nhttps://securityintelligence.com/articles/spyagent-malware-targets-crypto-wallets-stealing-screenshots/\r\nPage 1 of 3\n\ncredential combinations. Because they believe their device is secure, the company is using solutions such as multi-factor authentication (MFA) and secure single sign-on (SSO), and they don’t see their screenshot as a risk.\r\nIf hackers convince them to click through and download infected applications, however, attackers can view and\r\nsteal saved image data and then use this data to “legitimately” gain account access.\r\nAnother potential risk comes from personal data. Users may have screenshots of personal health or financial data,\r\nwhich puts them at risk of data exfiltration and identity fraud. They might also have confidential contact details\r\nfor business partners or executives, opening the door to another round of phishing attacks.\r\nThis picture-based approach to compromise creates two problems for security teams. First is the time required for\r\ndetection. It takes businesses 258 days on average to detect and contain an incident, as noted by the IBM 2024\r\nCost of a Data Breach Report. But this number only applies if security is firing on all cylinders. If mobile devices\r\nare compromised by user actions, and the malware’s sole purpose is to find and steal screenshots, the issue could\r\ngo unnoticed for far longer, especially if attackers bide their time.\r\nOnce criminals make the move to strike, meanwhile, the damage may be significant. Using stolen credentials,\r\nattackers can gain access to critical services and lockout account owners. From there, they can capture and\r\nexfiltrate data across a host of IT systems and services. While this direct action will alert IT teams, security\r\nresponse is naturally reactionary, meaning companies can’t avoid the attack; they mitigate the damage.\r\nThe message here is simple: If it’s on your phone, it’s never entirely safe. Screenshots of crypto recovery\r\npasswords, corporate logins and passwords or personal data such as Social Security numbers or bank account\r\ndetails are valuable targets for attackers.\r\nDodging the bullet also means not taking the bait — don’t respond to unsolicited texts and only download apps\r\nthrough approved app stores. It also means taking precautions. The always-connected nature of devices means that\r\ncomplete safety is an illusion. The less stored on a device, the better.\r\nUsers can keep devices safe by sticking to the official Google Play Store. Applications downloaded outside of the\r\nPlay Store come with no guarantees about their safety or security. Some are benign apps that haven’t passed\r\nGoogle’s screening process. Others are near-duplicates of official applications that contain hidden files or\r\ncommands. And some are simply vehicles to install malware and connect with command and control (C2) servers.\r\nIn addition, companies can benefit from the deployment of security automation and AI security tools. These\r\nsolutions are capable of capturing and correlating patterns of behavior that may appear benign but are collective\r\nindicators of compromise (IoCs). As noted by IBM data, businesses that extensively used AI and automation were\r\nable to detect and contain breaches 98 days faster than the global average.\r\nThe SpyAgent malware is now skulking around South Korea, stealing screenshots to capture crypto recovery\r\npasswords, and putting companies at risk of larger-scale data compromise.\r\nThe best defense? A trifecta of sparing screenshot saves, suspicion about off-brand apps and the deployment of\r\nsuperior intelligence solutions.\r\nhttps://securityintelligence.com/articles/spyagent-malware-targets-crypto-wallets-stealing-screenshots/\r\nPage 2 of 3\n\nSource: https://securityintelligence.com/articles/spyagent-malware-targets-crypto-wallets-stealing-screenshots/\r\nhttps://securityintelligence.com/articles/spyagent-malware-targets-crypto-wallets-stealing-screenshots/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securityintelligence.com/articles/spyagent-malware-targets-crypto-wallets-stealing-screenshots/"
	],
	"report_names": [
		"spyagent-malware-targets-crypto-wallets-stealing-screenshots"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434699,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/79c718a7570db6478484ceb4669fb0902c0436d0.pdf",
		"text": "https://archive.orkl.eu/79c718a7570db6478484ceb4669fb0902c0436d0.txt",
		"img": "https://archive.orkl.eu/79c718a7570db6478484ceb4669fb0902c0436d0.jpg"
	}
}