242,000 Times Downloaded Malicious Apps from Android and iOS Stealing Crypto Keys
In a shocking revelation, researchers have uncovered a widespread malware campaign targeting both Android and iOS users. Dubbed “SparkCat,” this malicious operation involves apps embedded with a malicious SDK designed to steal recovery phrases for cryptocurrency wallets. The infected apps, some of which were available on Google Play and the App Store, have been downloaded […] The post 242,000 Times Downloaded Malicious Apps from Android and iOS Stealing Crypto Keys appeared first on Cyber Security News.
In a shocking revelation, researchers have uncovered a widespread malware campaign targeting both Android and iOS users.
Dubbed “SparkCat,” this malicious operation involves apps embedded with a malicious SDK designed to steal recovery phrases for cryptocurrency wallets.
The infected apps, some of which were available on Google Play and the App Store, have been downloaded over 242,000 times.
While researchers at Kaspersky Labs’ SecureList noted that this marks the first known case of OCR-based crypto wallet spyware making its way into Apple’s App Store.
SparkCat Analysis
The SparkCat malware uses an OCR (Optical Character Recognition) plug-in built with Google’s ML Kit library to scan images in the device’s gallery for keywords related to cryptocurrency recovery phrases.
The malware utilized a malicious SDK/framework that incorporated Google’s ML Kit library for OCR (Optical Character Recognition) capabilities.
These keywords include terms like “助记词” (Chinese for “mnemonic”), “ニーモニック” (Japanese for “mnemonic”), and “Mnemonic” in English. Once identified, the images are sent to a Command and Control (C2) server for further analysis.
{
"keywords": ["助记词", "助記詞", "ニーモニック", "기억코드", "Mnemonic",
"Mnemotecnia", "Mnémonique", "Mnemotechnika", "Mnemônico",
"클립보드로복사", "복구", "단어", "문구", "계정", "Phrase"]
}On Android, the malicious code was found in the “ComeCome” food delivery app (package: com.bintiger.mall.android) with over 10,000 downloads.
.webp)
On iOS, the malicious framework was discovered in multiple App Store applications, using names like:
- GZIP
- googleappsdk
- stat
.webp)
The iOS version contained debugging symbols revealing Chinese-language development origins, with paths including “/Users/qiongwu/” and “/Users/quiwengjing/”.
The malware communicates with the C2 server using an unidentified protocol implemented in Rust, a language uncommon in mobile apps.
.webp)
This protocol involves encrypting data with AES-256 in CBC mode and using a custom library to disguise itself as a popular Android obfuscator.
.webp)
When communicating with the “rust” server, the malware follows a three-stage process:-
- Encryption: Data is encrypted with AES-256 in CBC mode.
- Compression: The encrypted data is compressed using ZSTD.
- Transmission: The compressed data is sent via TCP sockets using a custom library.
{
"path": "upload@",
"method": "POST",
"contentType": "application/json",
"data": ""
} The malware’s presence in both official app stores shows the evolving threat landscape and the need for enhanced security measures.
Users are advised to be cautious with app permissions, especially those requesting access to sensitive data like image galleries.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
The post 242,000 Times Downloaded Malicious Apps from Android and iOS Stealing Crypto Keys appeared first on Cyber Security News.
