Sinister SpyAgent Android Malware Uses Optics To Crack Your Crypto Wallet

Security researchers at McAfee have discovered new malware targeting Android users, named SpyAgent. The main aim of this malicious software being the theft of seed phrases that can be used to recover cryptocurrency wallets. Although once installed on a device threat actors using SpyAgent will also look to exfiltrate whatever other data might be valuable.

The way the seed phrases are found and get stolen is really interesting. SpyAgent has the capability to read text from images by using optical character recognition (OCR) to scan images saved on the victim’s device. Oftentimes, users who have cryptocurrency wallets will take pictures or screenshot their seed phrases for safekeeping, which can be between 12 to 24 words long.

Moreover, SpyAgent will look for data it can steal other than seed phrases. It’s able to gather detailed information about the device it has infected, pull a user’s entire contact list, upload any other personal images to servers controlled by threat actors, and have control over SMS messages. It’s a dangerous set of tools, as any compromising images might end up being used against a victim or SMS messages can be sent to continue spreading SpyAgent.


In order to distribute SpyAgent, threat actors use sites that appear to be legitimate to trick users into installing the malware. Links are sent out through text messages or direct messaging systems on social media to direct users to these sites. Once there, users are instructed to install an apk that requests the permissions needed for SpyAgent to get to work.

Cryptocurrency users might want to take some extra time and effort to save their seed phrase on paper, so at least they can’t be wiped out financially. Additionally, all users will be best served by sticking to official app stores when searching for or installing apps on devices to avoid being victimized by malicious apps.