Ddos 
A malware SDK in Google Play apps | Source: Kaspersky Labs
Kaspersky Labs researchers have uncovered a new malware campaign dubbed “SparkCat” that uses optical character recognition (OCR) technology to steal cryptocurrency recovery phrases from Android and iOS devices. This malicious campaign has successfully infiltrated official app stores, with infected apps downloaded over 242,000 times from Google Play.
This marks the first time a stealer has been found in Apple’s App Store. The malware, disguised within seemingly innocuous apps, exploits OCR to scan users’ image galleries for crypto wallet recovery phrases, which are then sent to the attackers’ command-and-control (C2) server.
The malware operates by decrypting and launching an OCR plug-in built with Google’s ML Kit library. It then scans images within the device’s gallery, looking for keywords provided by the C2 server. Images containing these keywords are then exfiltrated to the attackers.
The SparkCat malware utilizes a unique communication protocol implemented in Rust, a programming language not typically used for mobile app development. This unusual choice may be an attempt to evade detection by security researchers and antivirus software.
One of the infected apps, a food delivery app named “ComeCome,” was downloaded over 10,000 times from Google Play. Other infected apps, covering various topics, were also found in both official and unofficial app stores.
What makes SparkCat particularly alarming is that it managed to bypass Apple’s stringent security measures and infiltrate the App Store.
Researchers noted: “This is the first known case of an app infected with OCR spyware being found in Apple’s official app marketplace.”
The iOS version of the malware functioned similarly to its Android counterpart, relying on Google’s ML Kit library for text recognition and a Rust-based protocol for secure communication with C2 servers.
The presence of SparkCat in official app stores like Google Play and the App Store raises serious concerns about the security of these platforms. Despite rigorous screening processes, malicious apps continue to slip through the cracks, putting users at risk.
Analysis of SparkCat’s keyword lists revealed that the malware specifically targeted victims in Europe and Asia. Keywords were detected in multiple languages, including English, Chinese, Japanese, Korean, French, Italian, Czech, Polish, and Portuguese.
Users are advised to be cautious when downloading apps, even from official stores. It is also crucial to keep devices updated and to install security software to help detect and mitigate potential threats.
Donate