Found: Android apps that use OCR to steal cryptocurrency credentials

Researchers have identified over 280 malicious Android applications that utilize optical character recognition (OCR) technology to steal cryptocurrency wallet credentials. These apps disguise themselves as legitimate services, including banking and streaming applications, and are distributed through phishing messages and malicious websites, but not through Google Play. The malware scans infected devices for text messages, contacts, and images, sending this data to remote servers controlled by the attackers. The sophistication of the malware is notable, as it employs OCR to extract mnemonic recovery phrases from images, which are easier for users to remember than complex private keys. The discovery was made by McAfee researcher SangRyol Ryu, who accessed the attackers' servers due to weak security configurations. The malware has evolved to use WebSockets for communication, making it harder for security software to detect. Additionally, the apps have been updated to obfuscate their malicious functions, complicating analysis and detection efforts. While primarily affecting South Korea, the malware has begun to spread to the UK, indicating a geographical expansion of the threat.

- Over 280 Android apps using OCR to steal cryptocurrency credentials have been discovered.

- The malware disguises itself as legitimate applications and is distributed via phishing.

- It extracts mnemonic recovery phrases from images, targeting cryptocurrency wallets.

- The malware has evolved to use WebSockets, complicating detection efforts.

- The threat is expanding geographically, now affecting users in the UK.