Malicious software development kits used to make apps on Google’s Play Store and Apple’s App Store are scanning users’ pictures to find crypto wallet recovery phrases to drain the funds within, says cybersecurity firm Kaspersky Labs.
Kaspersky analysts Sergey Puzan and Dmitry Kalinin said in a Feb. 4 report that once the malware called SparkCat infects a device, it searches for images using specific keywords in different languages through an optical character recognition (OCR) stealer.
“The intruders steal recovery phrases for crypto wallets, which are enough to gain full control over the victim’s wallet for further theft of funds,” Puzan and Kalinin wrote.
“It should be noted that the flexibility of the malware allows it to steal not only secret phrases but also other personal data from the gallery, such as the content of messages or passwords that could remain on screenshots.”
Kaspersky’s analysts recommended not to store sensitive information in screenshots or a phone’s picture gallery and instead use a password manager. They also said to remove any suspect or infected apps.
Puzan and Kalinin said that, on Android apps, the malware uses a Java component called Spark, disguised as an analytics module, and an encrypted configuration file stored on GitLab, which provides commands and operational updates.
A trust-based networking module uses Google ML Kit OCR to extract text from images on an infected device, searching for recovery phrases that can be used to load crypto wallets on attackers’ devices without knowing the password.
Kaspersky estimates the malware has been active since at least March 2024, downloaded an estimated 242,000 times, and mainly targets Android and iOS users in Europe and Asia.
They claim the malware is in dozens of apps, both real and fake, across Google’s and Apple’s app stores but has the same features across them all, such as the use of the rust language, which is “rarely found in mobile applications,” cross-platform capability, and obfuscation that makes analysis and detection difficult.
Puzan and Kalinin said it’s unclear if the affected apps “were infected as a result of a supply chain attack or whether the developers intentionally embedded the Trojan in them.”
“Some apps, such as food delivery services, appear legitimate, while others are clearly built to lure victims — for example, we have seen several similar “messaging apps” with AI features from the same developer,” they added.
Related: Crypto hacks, scam losses reach $29M in December, lowest in 2024
Puzan and Kalinin said the origin of the malware is unclear, and it can’t be attributed to any known group, but it is similar to a March 2023 campaign found by ESET researchers.
However, the pair did find comments and error descriptions written in Chinese within the code, giving them “reason to believe that the developer of the malicious module is fluent in Chinese.”
Google and Apple did not immediately respond to requests for comment.
Magazine: You should ‘go and build’ your own AI agent: Jesse Pollak, X Hall of Flame
