Listen to this Post
2025-02-05
In recent years, the threat landscape surrounding mobile applications has grown significantly, particularly in the realm of cryptocurrency security. Two prominent cybersecurity companies, ESET and Kaspersky, have uncovered disturbing malware campaigns targeting mobile users. The latest of these campaigns, SparkCat, has evolved to target both Android and iOS users, stealing sensitive information, specifically recovery phrases for cryptocurrency wallets. This attack uses sophisticated tactics, including Optical Character Recognition (OCR), to scan and extract recovery phrases from images in the victim’s gallery. With over 242,000 downloads of malicious apps, SparkCat highlights a growing concern: mobile applications, even those downloaded from official stores, can no longer be trusted without scrutiny.
Summary:
In 2023, ESET uncovered malware in modified messenger apps using OCR to scan photos for crypto wallet recovery phrases. By late 2024, Kaspersky found a new malware campaign called SparkCat that expanded the tactics to target both Android and iOS users. The malware, which infected over 242,000 devices via official app stores, embedded a malicious SDK that used OCR for image recognition, targeting recovery phrases in cryptocurrency wallets. The malware relied on an obscure protocol, developed in the Rust programming language, to communicate with command-and-control servers.
The SparkCat malware used Google ML Kit’s OCR library to scan for wallet recovery phrases in multiple languages. The malicious SDK, disguised as an analytics module, communicated with C2 servers and executed commands based on encrypted GitLab files. The campaign targeted users in regions like Europe, Asia, and Africa, using localized keywords and apps tailored to multiple languages. The attack’s success stems from the stealthy nature of the malware, which does not immediately appear malicious and works without raising suspicion.
What Undercode Says:
The SparkCat campaign represents a significant escalation in the sophistication of mobile malware, especially in its targeting of cryptocurrency users. The use of OCR technology to scan for recovery phrases is particularly worrying. These phrases, also known as mnemonics, serve as the keys to accessing and recovering cryptocurrency wallets. By targeting images of these phrases stored on users’ devices, the malware effectively bypasses traditional methods of wallet protection, which often rely on secrecy and physical security.
What makes SparkCat particularly concerning is its cross-platform nature. Unlike many previous malware campaigns that primarily targeted Android devices, SparkCat spans both Android and iOS, two of the most widely used mobile operating systems. This highlights a shift in the security landscape where iOS, once considered more secure than Android, is now just as vulnerable to highly sophisticated attacks. The malware’s ability to remain undetected within legitimate apps that request seemingly harmless permissions underlines the stealthiness of modern mobile threats.
One of the most unsettling aspects of SparkCat is its ability to bypass official app store moderation. Despite both Google Play and the Apple App Store’s relatively strict review processes, malicious apps can still slip through. This suggests that the security frameworks in place for app vetting need significant improvement. As these platforms become more crowded with apps, it becomes increasingly difficult for security teams to inspect each one thoroughly. This opens the door for attackers to leverage trusted platforms to distribute their malicious software.
The malware’s use of Google’s ML Kit for OCR raises further concerns. Although ML Kit is a powerful tool for developers to incorporate machine learning features, it is being exploited by cybercriminals to extract sensitive data. The fact that SparkCat is using multiple OCR models to support languages such as Chinese, Japanese, Korean, and European languages indicates that the attackers are targeting a global audience. This is a clear indication that SparkCat is part of a more extensive campaign to compromise crypto wallets worldwide.
Moreover, the deployment of a custom protocol written in Rust for C2 communication is a noteworthy development. Rust, known for its speed and memory safety, is not commonly used in mobile app development. Its adoption by cybercriminals could be a signal that they are becoming more technically advanced, utilizing less common tools to make detection harder. The use of an encrypted GitLab file to execute commands also demonstrates the level of sophistication involved, allowing the malware to stay updated and adaptable over time.
The targeting of specific regions, such as Europe, Asia, and parts of Africa, is not accidental. Cybercriminals are known to use localization tactics, adjusting their strategies based on the languages spoken and the financial systems in place. The UAE, Kazakhstan, China, Indonesia, and Zimbabwe, for instance, are countries where cryptocurrency usage is particularly high or rising, making them prime targets for these types of attacks.
In conclusion, the SparkCat malware campaign is a wake-up call for the cybersecurity community, especially for cryptocurrency users. The ability of this malware to silently infiltrate both Android and iOS devices, extract wallet recovery phrases, and remain undetected within legitimate apps, is a clear demonstration of the increasing complexity of mobile threats. This attack also highlights the need for enhanced app store security and more rigorous scrutiny of app permissions and behaviors. Cryptocurrency users must remain vigilant and adopt best practices, such as using hardware wallets and enabling two-factor authentication, to protect their assets from these increasingly sophisticated threats.
References:
Reported By: https://securityaffairs.com/173873/malware/sparkcat-campaign-target-crypto-wallets.html
https://www.quora.com/topic/Technology
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
