Malicious SDK Detected in Popular Android and iOS Apps: Users at Risk of Cryptocurrency Theft

Recent findings by cybersecurity firm Kaspersky have revealed a concerning trend in the mobile app landscape. The discovery of a malicious software development kit (SDK), named ‘SparkCat,’ in various Android and iOS applications poses a significant threat to cryptocurrency users. This SDK is designed to stealthily capture cryptocurrency wallet recovery phrases through advanced optical character recognition (OCR) techniques.

SparkCat Campaign Uncovered

The SparkCat campaign primarily affects Android and iOS applications available on the Google Play Store and Apple App Store. According to Kaspersky, developers of these apps are likely unaware of the malicious nature of the SDK embedded within their software. Notably, the Android apps associated with this campaign have been downloaded over 242,000 times from the Google Play Store alone.

Kaspersky’s analysis highlights the prevalence of this malicious SDK. ‘We found Android and iOS apps that had a malicious SDK/framework embedded to steal crypto wallet recovery phrases, some of which were available on Google Play and the App Store,’ a spokesperson from Kaspersky stated.

Functionality of the Malicious SDK

At the core of the infected Android apps is a malicious Java component known as ‘Spark.’ Disguised as an analytics module, it connects to an encrypted configuration file hosted on GitLab, which directs the SDK’s commands and updates.

On the iOS side, the SDK appears under various names, including ‘Gzip,’ ‘googleappsdk,’ and ‘stat.’ It employs a Rust-based networking module referred to as ‘im_net_sys’ for communication with command and control (C2) servers. One of the most alarming features of this SDK is its ability to utilize Google ML Kit OCR to extract text from images stored on the device. By scanning for specific recovery phrases, the malicious software enables attackers to access cryptocurrency wallets without needing the original password.

Targeting Strategies

The malware is programmed to recognize multiple languages, adapting its text recognition capabilities to accommodate different character sets, including Latin, Korean, Chinese, and Japanese. Kaspersky noted that while some apps appear to target specific regions, there is a possibility these malicious functionalities could extend beyond the initially designated geographic locations.

Infected Applications and Recommendations

Kaspersky has identified a total of 18 infected Android apps and 10 iOS apps, many of which remain available for download in their respective app stores. One example highlighted in the report is the Android ChatAi app, which accrued over 50,000 downloads before being removed from Google Play.

For those who may have downloaded any of these compromised applications, Kaspersky advises immediate uninstallation. Users are also encouraged to run a mobile antivirus scan to check for any residual malware. In situations where users suspect their devices have been compromised, a factory reset should be considered for comprehensive protection.

In addition to these precautionary measures, cryptocurrency users are urged to avoid storing recovery phrases in screenshots. Instead, these sensitive pieces of information should be kept on physical offline media, encrypted removable storage devices, or within secure, self-hosted offline password managers.

Feedback from Tech Giants

As the situation develops, BleepingComputer has reached out to both Apple and Google for their official comments regarding the presence of these infected apps in their respective app stores. Updates will be provided as their responses come in.

Conclusion

The emergence of the SparkCat campaign underscores the importance of vigilance when downloading mobile applications. Users should remain proactive in safeguarding their digital assets by being cautious of app permissions and employing strong security practices.