Categories
Android App Store Apple Apps Business Developer Finance Google Hack Hacks iOS iPad iPad Air iPad mini iPad Pro iPadOS iPhone iPhone 12 iPhone 13 iPhone 14 iPhone 15 iPhone 16 Legal Microsoft News photos Pictures privacy retail security Server Software Windows

OCR-based crypto wallet theft programs surface in Apple, Android app stores

It’s a bit of a technical story about apps that wound up on both the Apple and Google app stores, but it’s interesting.

In March 2023, a group of security researchers at ESET discovered malware implants embedded into various messaging app mods. Some of these scanned users’ image galleries in search of crypto wallet access recovery phrases.

The search used an OCR (Optical Character Recognition) model which selected images on the victim’s device to send to the C2 server. The campaign targeted Android and Windows users, with the malware spreading through unofficial sources. In late 2024, a new software campaign, dubbed “SparkCat,” used similar tactics while attacking Android and iOS users through both official and unofficial app stores.

The researchers offered the following conclusions:

  • We found Android and iOS apps, some available in Google Play and the App Store, which were embedded with a malicious SDK/framework for stealing recovery phrases for crypto wallets. The infected apps in Google Play had been downloaded more than 242,000 times. This was the first time a stealer had been found in Apple’s App Store.
  • The Android malware module would decrypt and launch an OCR plug-in built with Google’s ML Kit library, and use that to recognize text it found in images inside the gallery. Images that matched keywords received from the C2 were sent to the server. The iOS-specific malicious module had a similar design and also relied on Google’s ML Kit library for OCR.
  • The malware, which we dubbed “SparkCat”, used an unidentified protocol implemented in Rust, a language untypical of mobile apps, to communicate with the C2.
  • Judging by timestamps in malware files and creation dates of configuration files in GitLab repositories, SparkCat has been active since March 2024.

The article, which is linked below, details the technical elements of the malware and how the code was studied to determine what was going on and what resources and methods were being used. It’s an interesting read, and perfect if you’re interested in computer science and security.

As always, be careful out there and we’ll have additional details as they become available.

Via securelist

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.