TLDR
- This malicious software, dubbed SparkCat, has compromised more than 242,000 Android and iOS devices via seemingly safe apps, cleverly using optical character recognition to hijack crypto wallet keys from users’ photo storage.
- Since its emergence in March 2024, SparkCat has been proliferated through tainted software development kits, sneaking into apps available on reputable app stores.
- This incident marks the unprecedented appearance of an OCR-based cryptocurrency stealing malware affecting Apple’s iOS.
- The insidious code scans pictures in various languages and surreptitiously dispatches the stolen data to servers under the attackers' control using Amazon cloud storage or a sophisticated Rust protocol.
- Analysis of the malicious code hints that the creators are proficient in Chinese, though the exact origins are still shrouded in mystery.
An advanced malware campaign coined as SparkCat has infiltrated beyond 242,000 mobile handsets across Europe and Asia, focusing its fraudulent activities on cryptocurrency enthusiasts using compromised apps on both Android and iOS systems. Security firm Kaspersky has disclosed these alarming findings in a report released on February 4, explaining how the malware leverages optical character recognition technology to pilfer private crypto wallet keys. Active since March 2024, the malware has cunningly invaded both Google Play and Apple’s App Store by deploying ostensibly genuine apps. These plagued apps belong to popular segments like food delivery and advanced messaging platforms, reflecting the attackers' knack for evading standard security defenses. SparkCat sets a new technical benchmark in malware evolution, being the first OCR-based crypto-stealer to make its way into Apple’s iOS sphere. This breach has amplified worries over the advancing intricacy of mobile cryptocurrency threats. On Android devices, the harmful code operates through an SDK known as Spark, presenting itself as an analytics module slyly to avoid grabbing attention. Once an app containing this malware is executed, it reaches out to a remote GitLab repository to gather its configuration files.
The iOS variant of SparkCat adopts a different strategy, utilizing a rogue framework that disguises itself under multiple aliases such as GZIP, googleappsdk, or stat. Crafted in Objective-C, it employs intricate obfuscation techniques via HikariLLVM to dodge detection.
Both the Android and iOS versions of this malware exploit Google ML Kit’s OCR features to skim through users’ photo galleries, scouring for crypto wallet recovery phrases. The scan supports a range of languages, including English, Chinese, Korean, Japanese, and several European tongues.
To keep a low profile on iOS devices, the malware only solicits gallery access when users engage in specific actions like initiating a support chat. This strategic approach helps the malware stay under the radar by avoiding needless permission requests.
Upon identifying potentially valuable cryptocurrency-related data in images, SparkCat uploads this information to servers monitored by attackers. The data transfer takes place either through Amazon's cloud services or using a specially-designed Rust protocol, rendering tracking efforts more challenging with its encrypted data exchanges and unconventional communication pathways.
This malware extends its reach beyond cryptocurrency theft. According to Kaspersky’s researchers, the flexible nature of SparkCat allows it to capture other sensitive information, such as message contents and passwords, possibly saved in screenshots by users.
While the origin of SparkCat is still uncertain, an assessment of its code uncovered comments and error messages in Chinese, suggesting the developers possess fluency in the language. Yet, no specific group or region has been conclusively linked to this campaign.
The SparkCat episode follows a trajectory of increasingly refined attacks zeroing in on the cryptocurrency sector. Back in September 2024, crypto exchange Binance identified another significant threat named Clipper malware, targeting users via unofficial mobile applications and add-ons.
Kaspersky’s investigative team has rolled out a series of advice for mobile users, emphasizing the critical need to refrain from saving sensitive data like seed phrases, private keys, and passwords within screenshot or photo formats on their devices.
Unveiling SparkCat adds another layer of complexity to the growing security hurdles faced by the cryptocurrency industry. The malware’s ability to penetrate official app stores underscores the ongoing battle between security forces and malicious players in the mobile app realm.
The extensive reach of this infection, spanning over 242,000 devices, positions it among the larger mobile malware campaigns against cryptocurrency users in recent times. Its geographical coverage across Europe and Asia indicates a strategic and coordinated effort by the perpetrators.
The Editor-in-Chief of Blockonomi and the mastermind behind Kooc Media — a thriving online media company based in the UK. An ardent supporter of Open-Source Software, Believer in the transformative potential of Blockchain Technology, and advocate for Free and Fair Internet for everyone.
His articulate writings have been acknowledged by prominent entities like Nasdaq, Dow Jones, Investopedia, The New Yorker, Forbes, TechCrunch, and many others. For inquiries, reach out to [email protected]
Dark web operatives allege possession of a massive leak involving personal data of Gemini and Binance’s American users.
