A brand new malware marketing campaign dubbed SparkCat has leveraged a go well with of bogus apps on each Apple’s and Google’s respective app shops to steal victims’ mnemonic phrases related to cryptocurrency wallets.
The assaults leverage an optical character recognition (OCR) mannequin to exfiltrate choose pictures containing pockets restoration phrases from photograph libraries to a command-and-control (C2) server, Kaspersky researchers Dmitry Kalinin and Sergey Puzan said in a technical report.
The moniker is a reference to an embedded software program improvement equipment (SDK) that employs a Java element known as Spark that masquerades as an analytics module. It is presently not recognized whether or not the an infection was a results of a provide chain assault or if it was deliberately launched by the builders.
Whereas that is not the first time Android malware with OCR capabilities has been detected within the wild, it is one of many first cases the place such a stealer has been present in Apple’s App Retailer. The contaminated apps in Google Play are mentioned to have been downloaded over 242,000 occasions.
The marketing campaign is assessed to have been energetic since March 2024, with the apps distributed by way of each official and unofficial app shops. The functions masquerade as synthetic intelligence (AI), meals supply, and Web3 apps, though a few of them seem to supply authentic performance.
“The Android malware module would decrypt and launch an OCR plug-in constructed with Google’s ML Kit library, and use that to acknowledge textual content it present in pictures contained in the gallery,” Kaspersky mentioned. “Photographs that matched key phrases acquired from the C2 had been despatched to the server.”
In an analogous vein, the iOS model of SparkCat depends on Google’s ML Equipment library for OCR to steal pictures containing mnemonic phrases. A notable side of the malware is its use of a Rust-based communication mechanism for C2, one thing not often noticed in cellular apps.
Additional evaluation of key phrases used and the areas the place these apps had been made obtainable point out that the marketing campaign is primarily concentrating on customers in Europe and Asia. It is assessed that the malicious exercise is the work of a menace actor who’s fluent in Chinese language.
“What makes this Trojan notably harmful is that there is not any indication of a malicious implant hidden inside the app,” the researchers mentioned. “The permissions that it requests could seem like they’re wanted for its core performance or seem innocent at first look.”
The disclosure comes as Zimperium zLabs detailed one other cellular malware marketing campaign concentrating on Indian Android machine house owners by distributing malicious APK recordsdata by way of WhatsApp beneath the guise of banking and authorities functions, permitting the apps to reap delicate perusal and monetary info.
The cybersecurity firm mentioned it has recognized over 1,000 phony apps linked to the marketing campaign, with the attackers leveraging roughly 1,000 hard-coded cellphone numbers as exfiltration factors for SMS messages and one-time passwords (OTPs).
“Not like standard banking Trojans that rely solely on command-and-control (C&C) servers for one-time password (OTP) theft, this malware marketing campaign leverages reside cellphone numbers to redirect SMS messages, leaving a traceable digital path for regulation enforcement companies to trace the menace actors behind this marketing campaign,” safety researcher Aazim Yaswant said.
The assault marketing campaign, named FatBoyPanel, is claimed to have amassed 2.5 GB of delicate information up to now, all of which is hosted on Firebase endpoints which might be accessible to anybody sans authentication.
This consists of SMS messages from Indian banks, financial institution particulars, credit score and debit card info, and government-issued identification particulars belonging to about 50,000 customers, a majority of whom are situated within the Indian states of West Bengal, Bihar, Jharkhand, Karnataka, and Madhya Pradesh.
These incidents inform a cautionary story of the significance of correctly vetting code apps, together with scrutinizing opinions and checking the authenticity of the builders, earlier than downloading them, even when they’re uploaded to official app storefronts.
The event additionally follows the emergence of 24 new malware families concentrating on Apple macOS methods in 2024, up from 21 in 2023, in response to safety researcher Patrick Wardle.
This coincides with a surge in info stealer assaults, comparable to these involving Poseidon, Atomic, and Cthulhu, which might be particularly aimed on the customers of the desktop working system.
“Infostealers leveraging macOS usually exploit the native AppleScript framework,” Palo Alto Networks Unit 42 researchers Tom Fakterman, Chen Erlich, and Tom Sharon said in a report printed this week.
“This framework supplies in depth OS entry, and it additionally simplifies execution with its pure language syntax. Since these prompts can seem like authentic system prompts, menace actors use this framework to trick victims by way of social engineering.”
Replace
The offending apps have been faraway from each Apple App Retailer and Google Play as of February 7, 2025. Google additionally informed The Hacker Information that “Android customers are routinely shielded from recognized variations of this malware with Google Play Shield, which is on by default on Android gadgets with Google Play Providers.”
(The story was up to date after publication to incorporate a response from Google, and that the apps in query are now not accessible.)
Source link