A new malware campaign dubbed SparkCat has leveraged a suit of bogus apps on both Apple’s and Google’s respective app stores to steal victims’ mnemonic phrases associated with cryptocurrency wallets.
The attacks leverage an optical character recognition (OCR) model to exfiltrate select images containing wallet recovery phrases from photo libraries to a command-and-control (C2) server, Kaspersky researchers Dmitry Kalinin and Sergey Puzan said in a technical report.
The moniker is a reference to an embedded software development kit (SDK) that employs a Java component called Spark that masquerades as an analytics module. It’s currently not known whether the infection was a result of a supply chain attack or if it was intentionally introduced by the developers.
While this is not the first time Android malware with OCR capabilities has been detected in the wild, it’s one of the first instances where such a stealer has been found in Apple’s App Store. The infected apps in Google Play are said to have been downloaded over 242,000 times.
The campaign is assessed to have been active since March 2024, with the apps distributed via both official and unofficial app stores. The applications masquerade as artificial intelligence (AI), food delivery, and Web3 apps, although some of them appear to offer legitimate functionality.
“The Android malware module would decrypt and launch an OCR plug-in built with Google’s ML Kit library, and use that to recognize text it found in images inside the gallery,” Kaspersky said. “Images that matched keywords received from the C2 were sent to the server.”
In a similar vein, the iOS version of SparkCat relies on Google’s ML Kit library for OCR to steal images containing mnemonic phrases. A notable aspect of the malware is its use of a Rust-based communication mechanism for C2, something rarely observed in mobile apps.
Further analysis of keywords used and the regions where these apps were made available indicate that the campaign is primarily targeting users in Europe and Asia. It’s assessed that the malicious activity is the work of a threat actor who is fluent in Chinese.
“What makes this Trojan particularly dangerous is that there’s no indication of a malicious implant hidden within the app,” the researchers said. “The permissions that it requests may look like they are needed for its core functionality or appear harmless at first glance.”
The disclosure comes as Zimperium zLabs detailed another mobile malware campaign targeting Indian Android device owners by distributing malicious APK files via WhatsApp under the guise of banking and government applications, allowing the apps to harvest sensitive perusal and financial information.
The cybersecurity company said it has identified over 1,000 phony apps linked to the campaign, with the attackers leveraging roughly 1,000 hard-coded phone numbers as exfiltration points for SMS messages and one-time passwords (OTPs).
“Unlike conventional banking Trojans that rely solely on command-and-control (C&C) servers for one-time password (OTP) theft, this malware campaign leverages live phone numbers to redirect SMS messages, leaving a traceable digital trail for law enforcement agencies to track the threat actors behind this campaign,” security researcher Aazim Yaswant said.
The attack campaign, named FatBoyPanel, is said to have amassed 2.5 GB of sensitive data to date, all of which is hosted on Firebase endpoints that are accessible to anyone sans authentication.
This includes SMS messages from Indian banks, bank details, credit and debit card information, and government-issued identification details belonging to about 50,000 users, a majority of whom are located in the Indian states of West Bengal, Bihar, Jharkhand, Karnataka, and Madhya Pradesh.
These incidents tell a cautionary tale of the importance of properly vetting code apps, including scrutinizing reviews and checking the authenticity of the developers, before downloading them, even if they are uploaded to official app storefronts.
The development also follows the emergence of 24 new malware families targeting Apple macOS systems in 2024, up from 21 in 2023, according to security researcher Patrick Wardle.
This coincides with a surge in information stealer attacks, such as those involving Poseidon, Atomic, and Cthulhu, that are specifically aimed at the users of the desktop operating system.
“Infostealers leveraging macOS often exploit the native AppleScript framework,” Palo Alto Networks Unit 42 researchers Tom Fakterman, Chen Erlich, and Tom Sharon said in a report published this week.
“This framework provides extensive OS access, and it also simplifies execution with its natural language syntax. Since these prompts can look like legitimate system prompts, threat actors use this framework to trick victims via social engineering.”
