Home News Malicious Apps on Google Play and Apple App Store Targeting Crypto Wallets
News

Malicious Apps on Google Play and Apple App Store Targeting Crypto Wallets

Recent findings reveal that several Android and iOS apps on the Google Play Store and Apple App Store have been found to contain a malicious software development kit (SDK) designed to steal cryptocurrency wallet recovery phrases using optical character recognition (OCR) technology. This operation, dubbed “SparkCat,” derives its name from a malicious component called “Spark” embedded in the affected apps. Developers of these apps likely did not know they were part of this scheme.

According to cybersecurity firm Kaspersky, over 242,000 downloads of the infected apps occurred on Google Play alone. This marks the first known instance of a stealer being detected in the App Store.

How the Malicious SDK Operates

The malicious SDK embedded in Android apps includes a Java component named “Spark,” masquerading as an analytics module. It employs an encrypted configuration file stored on GitLab, allowing it to receive commands and updates. For iOS apps, the framework appears under various names such as “Gzip,” “googleappsdk,” or “stat,” and it utilizes a Rust-based networking module called “im_net_sys” for communication with command and control (C2) servers.

The SDK utilizes Google ML Kit OCR to extract text from images on the device, specifically targeting recovery phrases that can access cryptocurrency wallets without the need for passwords. The malware identifies images containing sensitive information by searching for specific keywords in various languages, adapting its approach based on the user’s geographic location.

Affected Apps and Recommendations

Kaspersky identified 18 infected Android apps and 10 iOS apps, many of which remain available for download. One notable example is the Android app ChatAi, which had over 50,000 installations but has since been removed from Google Play.

If you have any of these potentially compromised apps installed, it is crucial to uninstall them immediately. Users are also advised to run a mobile antivirus scan for remnants of the malware and consider performing a factory reset of their devices.

To enhance security, storing cryptocurrency wallet recovery phrases in screenshots is strongly discouraged. Instead, it is recommended to keep them on physical offline media, encrypted removable storage devices, or within the vault of self-hosted, offline password managers.

For a complete list of the affected apps, refer to Kaspersky’s report.

Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Articles

News

19 Billion Passwords Leaked in 2024: How to Secure Your Accounts Now

Since April 2024, over 19 billion passwords have been compromised and leaked...

News

UK Unleashes £1bn Cyber Warfare Command to Counter Russia and China

The UK government has announced a major military upgrade focused on cyber...

News

WhatsApp Spyware Case: NSO Group on the Brink as Damages Trial Begins

NSO Group Faces Potential ‘Tens of Millions’ in Damages in WhatsApp Spyware...

News

AI Safety Crisis: New Attack Method Generates Weapons Guides Across All Major Models

Security researchers have uncovered a critical vulnerability affecting all major large language...