DIGITAL LIFE

Malicious apps on Android and iOS scan screenshots to steal cryptocurrencies

A new malware campaign dubbed SparkCat has leveraged a suit of bogus apps on both Apple's and Google's respective app stores to steal victims' mnemonic phrases associated with cryptocurrency wallets.

The attacks leverage an optical character recognition (OCR) model to exfiltrate select images containing wallet recovery phrases from photo libraries to a command-and-control (C2) server, Kaspersky researchers Dmitry Kalinin and Sergey Puzan said in a technical report.

The moniker is a reference to an embedded software development kit (SDK) that employs a Java component called Spark that masquerades as an analytics module. It's currently not known whether the infection was a result of a supply chain attack or if it was intentionally introduced by the developers.

While this is not the first time Android malware with OCR capabilities has been detected in the wild, it's one of the first instances where such a stealer has been found in Apple's App Store. The infected apps in Google Play are said to have been downloaded over 242,000 times.

Taking screenshots on modern mobile devices is incredibly easy. However, inexperienced users often overlook the potential security risks of saving images containing sensitive data. This oversight can lead to financial losses, as cybercriminals are always ready to exploit such lapses in operational security.

Kaspersky has uncovered a new malware campaign designed to breach users' crypto wallets and steal Bitcoin and other cryptocurrencies. Dubbed SparkCat, the malware leverages advanced optical character recognition technology integrated into modern smartphone platforms to scan for recovery phrases used to access crypto wallets. Notably, it affects both Android and iOS ecosystems.

SparkCat was found embedded in several Android and iOS apps, some of which were available in official app stores. The malware employs a malicious SDK that integrates Google's OCR technology, enabling it to scan users' photo galleries for screenshots and extract crypto wallet recovery codes from images.

The infected apps discovered on Google Play had been downloaded over 242,000 times. Meanwhile, some malicious apps targeting iOS remain available for download, including two AI chat tools (WeTink and AnyGPT) and a Chinese food delivery app (ComeCome).

Kaspersky believes the SparkCat campaign has likely been active since March 2024. The malicious apps featured a previously unseen protocol written in Rust, which proved useful for communicating with command-and-control servers operated by the cybercriminals behind the attack.

The origin of SparkCat remains unclear. Kaspersky has not determined whether the infection was part of a sophisticated supply chain attack or the result of deliberate actions by the app developers. The malware employs tactics previously observed by researchers in 2023, when ESET analysts discovered malicious "implants" in Android and Windows apps designed to scan images for crypto wallet access codes.

SparkCat underscores the risks of poor security practices on personal mobile devices. Saving screenshots in a phone's gallery is already a potential vulnerability, but for users who have invested in cryptocurrency, it can turn into a serious security threat.

mundophone