HQ/EMEAFind out how we can help your business
A newly discovered SparkCat campaign is utilising a malicious SDK tool disguised as a legitimate application found on app stores, such as Google Play and Apple App Store.
Reports revealed that the app can collect cryptocurrency wallet recovery phrases via optical character recognition (OCR) stealers. These malicious apps have already gathered at least 240,000 downloads on Google Play.
The SparkCat campaign uses a Java component to conceal the malicious features of its apps.
The SparkCat campaign uses the malicious SDK on infected Android apps using a malicious Java component known as “Spark,” which is camouflaged as an analytics module. In addition, it sends commands and operational updates using an encrypted configuration file saved on GitLab.
On the iOS platform, the framework is known by several names, such as “Gzip,” “googleappsdk,” or “stat.” It also uses a Rust-based networking module to communicate with C2 servers.
The module employs Google ML Kit OCR to extract text from photographs on the device. This feature will attempt to scan recovery phrases that can be used to load cryptocurrency wallets on attackers’ devices without knowing the password.
Subsequently, the SDK sends device information to the command server via the path / api / e / d / u, and in return, it receives an object that controls the malware’s following operation.
The malware searches the infected device for photographs revealing secrets using specific keywords in different languages, which vary by region. Researchers also noted that while certain apps offer region-specific targeting, they may work outside the stated geographic boundaries.
Furthermore, eighteen confirmed infected Android and ten iOS apps, many of which are still available in their respective app stores. One of the apps detected as infected is the Android ChatAi app, which has been downloaded over 50,000 times. This app is no longer available on Google Play.
This discovery of malicious apps reminds all users to avoid downloading applications, especially if they are unnecessary or if they need to avoid installing malware inadvertently.
