Beware! This crypto-stealing malware is targeting Android, iOS users
What's the story
A new malware, dubbed SparkCat, is putting the security of Android and iOS users at risk.
The malicious software development kit (SDK) has been spotted in many apps on Google Play and Apple App Store.
It is designed to steal the content of cryptocurrency wallets using optical character recognition (OCR) technology.
The campaign has already affected thousands of users.
Malware operation
Unique operating mechanisms on different platforms
The malicious SDK, SparkCat, behaves differently on Android and iOS devices.
On Android, it utilizes a Java component called Spark that serves as an analytics module.
This component fetches encrypted configuration files from GitLab with updates and commands for the malware.
For iOS devices, the framework uses different names such as Gzip, googleappsdk or stat and connects with C2 servers via Rust-based networking module imnetsys.
Objective
SparkCat's primary function and data extraction process
The primary goal of SparkCat is to scan pictures on a user's device for cryptocurrency wallet recovery phrases.
These phrases are usually stored as screenshots or photos and are used to gain access to cryptocurrency wallets.
The malware uses Google ML Kit OCR to extract text from images, looking for specific keywords in various languages like Latin, Korean, Chinese, and Japanese.
Once a recovery phrase is detected, the stolen data is sent to the attackers' servers.
Spread
SparkCat's region-specific strategies and infected apps
Kaspersky's investigation also found that SparkCat is region-specific, using different keywords and targeting strategies for Europe, Asia, etc.
However, the researchers warn that these apps could still work outside their intended regions, risking a wider audience.
So far, 18 Android apps and 10 iOS apps have been flagged as infected. One such example is the Android app — ChatAi — which had over 50,000 downloads before being pulled from the Google Play Store.
Safety measures
Expert advice on dealing with SparkCat-infected apps
If you suspect having installed any malware-infected apps, uninstall them immediately.
Experts also recommend installing a reliable mobile antivirus tool to scan your device for any residual traces of the malware.
In severe cases, you may even have to go for a factory reset to perform a complete removal.
Self-hosted and offline password managers with vault features can also add an extra layer of security against such threats.