Photo: Tada Images / Shutterstock.com
Several apps on the Apple App Store and Google Play Store were found to contain a malicious Software Development Kit (SDK) developed to steal crypto wallet recovery phrases via an Optical Character Recognition (OCR) stealer.
The SparkCat campaign was named after one of the malicious SDK components, “Spark,” discovered in the infected apps. While the malicious apps were downloaded by users over 2,42,000 times from the Play Store, it was the first instance of a stealer being uncovered on the Apple App Store.
Kaspersky found Android and iOS apps with a malicious framework/SDK embedded to steal crypto wallet recovery phrases, out of which, some were available for download on Android and iOS app stores. Spark is an infected Java component used by the malicious SDK in the infected Android apps, designed to impersonate an analytics module. It utilises an encrypted configuration file, saved on GitLab, to provide commands and operational updates.
The framework on iOS apps uses a Rust-based networking module called, “im_net_sys,” to connect with command-and-control (C2) servers and goes by different names such as “Gzip,” “stat,” and “googleappsdk.” It uses the Google ML Kit OCR to extract text from images on a device, attempting to find recovery phrases which can be used to load crypto wallets on the threat actor’s device without a password.
“It (the malicious component) loads different OCR models depending on the language of the system to distinguish Latin, Korean, Chinese and Japanese characters in pictures,” Kaspersky said. “Then, the SDK uploads information about the device to the command server along the path / api / e / d / u, and in response, receives an object that regulates the subsequent operation of the malware.”
The malware searches the images with the help of particular keywords in different languages that are different for each region. While only some apps were observed to display region-specific targeting, the possibility of them functioning outside the designated areas cannot be dismissed.
According to the cybersecurity company, 18 infected Android and 10 iOS apps were uncovered, with many yet to be removed from their app stores. One of the infected apps, Android ChatAi, which was removed from the Play Store, was installed more than 50,000 times.
The company provided a full list of affected apps in its report. It is recommended that any apps be removed and an antivirus tool be used to scan for remains. Factory resetting the device could also be considered to mitigate the issue. The practice of storing screenshots of crypto wallets or other recovery phrases should be avoided, and the relevant data could be secured in an encrypted storage, vault or offline password manager.
In the News: Android banking malware campaign exposes data of 50,000 Indian users
