– Victim’s contact list, likely for distributing the malware via SMS originating from trusted contacts.
– Incoming SMS messages, including those containing one-time passwords (OTPs).
– Images stored on the device to use for OCR scanning.
– Generic device information, likely for optimizing the attacks.
SpyAgent can also receive commands from the C2 to change the sound settings or send SMS messages, likely used to send phishing texts to distribute the malware. McAfee found that the operators of the SpyAgent campaign did not follow proper security practices in configuring their servers, allowing the researchers to gain access to them. Admin panel pages, as well as files and data stolen from victims, were easily accessible, allowing McAfee to confirm that the malware had claimed multiple victims. The stolen images are processed and OCR-scanned on the server side and then organized on the admin panel accordingly to allow easy management and immediate utilization in wallet hijack attacks.
Read more of this story at Slashdot.