New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition

McAfee Mobile Research uncovered SpyAgent, an Android malware campaign that masquerades as legitimate apps to phish users into installing malicious APKs; once installed it harvests contacts, SMS, device info and photos (using OCR to extract mnemonic wallet phrases), exfiltrates data to poorly secured C2 servers (resulting in leaked victim images), and has evolved to use WebSocket communications and stronger obfuscation—active in Korea since January 2024 with signs of expansion to the UK and provided SHA256 IOCs.