Quick Takes
- An optical character recognition (OCR) malware campaign, called SparkCat, has been found in the software development kits (SDKs) for Android and iOS apps that target crypto users by hunting for their wallet recovery phrases by watching their on-screen activity and searching their gallery.
- Kaspersky analysts have listed 18 apps on the Google Play Store and 10 apps on the Apple App Store that are affected by the malware. A majority of these apps are fake and created with Spark embedded in their code while others are real ones compromised via a supply chain attack.
- The origin of the malware is unclear and it is seemingly targeting Android and iOS users across Asia and Europe. Kaspersky has provided a list of apps affected by SparkCat and is asking users to factory reset devices that have installed the malware.
Cybersecurity firm Kaspersky has discovered that software development kits used to make apps on Google’s Play Store and Apple’s App Store contain a malicious component called “SparkCat” that is designed to steal users’ crypto wallet recovery phrases by scanning their devices’ gallery app.
SparkCat Malware Targeting Android And iOS Users In Asia And Europe Is Stealing Crypto Wallet Phrases
Kasperky analysts Sergey Puzan and Dimitry Kalinin detailed in a February 4 report that apps infected by SparkCat were downloaded over 240,000 times on the Google Play Store alone. This is also the first known case of an optical character recognition (OCR) stealer being found on iOS devices. The malware, which became active in March 2024, is mainly targeting Android and iOS users in Asia and Europe.
OCR is a type of malware that extracts sensitive information such as passwords, credit card information, or personal identification details, from images or documents displayed on the screen of an infected device. This malicious software can capture text from screenshots, scanned documents, or even data that is visible during normal use.
On Android, the malicious software development kit (SDK) utilizes a malicious Java component called “Spark” which is disguised as an analytics module. Within the SDK is an encrypted configuration file stored on the web-based software development platform GitLab, which provides the commands and operational updates for the malware.
Meanwhile, on iOS, the malware uses different names like “Gzip”, “googleappsdk”, or “stat”. It utilizes a Rust-based networking module called “im_net_sys” to handle communication with the command and control servers.
A trust-based networking module then uses the Google ML Kit OCR to extract text from images on an infected device, where it searches for recovery phrases that can be used to load the victims’ crypto wallet on attackers’ devices.
Kaspersky says SparkCat is present in at least 18 Android apps and 10 iOS apps, with many of them real and fake. They also pose the same features, such as Rust, which is a programming language that is rarely used to develop mobile apps, cross-platform capability, and obfuscation to make analysis and detection a hard task.
True Origin Of SparkCat Remains Unknown, But Chinese Commands Found In Code
Puzan and Kalinin said it is unclear whether the affected apps were infected by a supply chain attack or if their developers intentionally embedded the malware in them. They found that some apps, such as food delivery services, appear legitimate, while others, like messaging apps with AI features, were specifically built to lure victims.
The Kaspersky researchers are not sure about the malware’s origin, stating that it cannot be linked to any known hacking group, but its functionalities are similar to a campaign discovered by cybersecurity analysts in March 2023. However, the duo found comments and error descriptions written within the code in Mandarin, giving them reason to believe that the developer of the malicious software is either of Chinese origin or fluent in the language.
One of the infected apps discovered by Kaspersky is ChatAi, which has been installed by Android users over 50,000 times. This app can no longer be found on the Google Play Store. On iOS, two apps – WeTink and AnyGPT – created by a developer named AI Learning & Tech Solutions Limited have been flagged by the Kaspersky team.
Affected Users Advised To Factory Reset Their Android Or iOS Devices
A full list of the impacted apps can be found in the Kaspersky report. The cybersecurity pioneer has advised Android and iOS users who have installed these apps on their devices to immediately uninstall them and use a mobile antivirus tool to scan for any traces of the malware. Affected devices must be factory reset to fully rid of SparkCat.
Generally, the practice of storing crypto wallet recovery phrases in screenshots or as notes on a computer or mobile device is a practice that should be avoided at all costs. Instead, it is highly recommended that crypto users store their seed phrases by writing them on paper and keeping them in a safe place, on encrypted removable storage devices, or in the vault of self-hosted, offline password managers.
Also Read: How To Spot And Report Crypto Scams? Step-By-Step Guide
