Crypto-stealing iOS, Android malware found on App Store, Google Play
A number of iOS and Android apps on Apple’s and Google’s official app stores contain a software development kit (SDK) that allows them to exfiltrate cryptowallets’ seed recovery phrases, Kaspersky researchers have found.
“The infected apps in Google Play had been downloaded more than 242,000 times. This was the first time a stealer had been found in Apple’s App Store,” they pointed out.
The apps have also been pushed via unofficial app stores.
The malicious SDK: What does it do? Who made it?
The malicious SDK/framework has been dubbed Spark, after one of its components. Once initialized, it tries to download a configuration file from a GitLab URL and, if it fails, it uses the default settings.
“Once a configuration has been downloaded, Spark decrypts a payload from assets and executes it in a separate thread. The payload (…) is a wrapper for the TextRecognizer interface in Google’s ML Kit library. It loads different OCR [optical character recognition] models depending on the system language to recognize Latin, Korean, Chinese or Japanese characters in images.”
The SDK sends device information to the command and control (C2) server and it responds with an object that controls further malware activities (e.g., making changes allowing the malware to keep running).
Every time the user initiates a chat with the support team, the SDK springs to action and asks to access to the device’s image gallery.
“If access is granted, the SDK runs its main functionality. This starts with sending a request to /api/e/config/rekognition on the C2 and getting parameters for processing OCR results in a response. These parameters are used by processor classes that filter images by OCR-recognized words,” the researchers noted.
“We asked ourselves what kind of images the attackers were looking for. To find out, we requested from the C2 servers a list of keywords for OCR-based search. In each case, we received words in Chinese, Japanese, Korean, English, Czech, French, Italian, Polish and Portuguese. The terms all indicated that the attackers were financially motivated, specifically targeting recovery phrases also known as ‘mnemonics’ that can be used to regain access to cryptocurrency wallets.”
The malware grabs photos stored in the devices’ gallery and uploads them to the C2 server, but does it selectively.
The keywords searched for in stored images (Source: Kaspersky)
After discovering the same SDK (with varying features and different names) in iOS apps on the App Store, they analyzed it and found information pointing to the SDK’s creator.
The comments in the code and the C2 error messages are in Chinese. “These, along with the name of the framework developer’s home directory which we obtained while analyzing the iOS-specific version suggest that the creator of the malicious module speaks fluent Chinese. That being said, we have insufficient data to attribute the campaign to a known cybercrime gang.”
Who’s being targeted with this crypto-stealing iOS and Android malware?
The researchers say that the oldest version of the malicious SDK they could find was built on March 15, 2024.
Around the same time, ESET researchers warned about trojanized WhatsApp and Telegram apps for Windows and Android that could both steal and modify content copied on clipboards (e.g., when copy-pasting various types of information), and use optical character recognition OCR to recognize text – more specifically, cryptocurrency wallet recovery phrases – from screenshots stored on the compromised devices.
Those apps were offered for download via copycat Telegram and WhatsApp websites, and potential victim were directed to them via malicious Google Search ads, which pointed to YouTube videos whose About section contained links to the copycat pages.
“It is possible that with Telegram, WhatsApp, and the Google Play app all being blocked in China, Android users there are used to jumping through several hoops if they want to obtain officially unavailable apps. Cybercriminals are aware of this and try to ensnare their victims right from the get-go – when the victim searches Google for either a WhatsApp or a Telegram app to download,” ESET researchers posited.
This latest campaign – dubbed SparkCat by Kaspersky – was able to reach a wider swathe of potential targets.
Based on the keywords for the OCR-based search, the SDK creator is after cryptowallets belonging to users in a number of European and Asian countries, including China. And some of the apps with the malicious SDK are also used in African and Middle Eastern countries like Zimbabwe and the United Arab Emirates.
“We cannot confirm with certainty whether the [malicious SDK getting embedded in those apps] was a result of a supply chain attack or deliberate action by the developers. Some of the apps, such as food delivery services, appeared to be legitimate, whereas others apparently had been built to lure victims,” Kaspersky concluded.
It’s also possible that the malicious SDK is implemented by unaware mobile app developers because it provides welcome functionality.
What should the victims do?
It’s easy to see how it the malware managed to pass the security screening to end up on official app stores, the researchers noted. The permissions the apps request make sense and the malicious SDK is very stealthy: the C2 domains often mimicked legitimate services, the SDK is heavily obfuscated and, in some cases, it does not immediately spring into action.
Kaspersky has shared indicators of compromise and listed the names of Android and iOS apps that contain the malicious SDK. The list includes food delivery, AI chatbot, cryptocurrency exchange/wallet, payment, news, VPN, messaging, and sport apps.
While Google and Apple have removed most of the offending apps from their store, some can still be found there, the researchers warned.
Android and iOS users would do well to check whether they have installed one or more of these apps and, if they have, to remove them. Using mobile security software to clean the device is advised, and so is avoiding making screenshots of sensitive information and storing it unencrypted. (Password managers should help with that.)
If your cryptowallet hasn’t been emptied in the meantime, move your crypto funds to a new wallet with a new seed phase, but not before having cleaned up your device. It may be best to do this from another device, though.