New Trojan steals cryptocurrencies in the App Store and Google Play

Kaspersky Threat Research's specialist centre has discovered a new Trojan, SparkCat, used to steal data on the AppStore and Google Play from at least March 2024. This is the first known incident of malware in the AppStore based on visual recognition. SparkCat uses machine learning to scan the image collection and steal screenshots containing cryptocurrency wallet recovery phrases. It can also detect and extract other sensitive data in the form of images, such as passwords.

Kaspersky has reported the known malicious applications to Google and Apple.

How the new malware is spreading

The malware is spreading both through legitimate infected apps and through "decoys" such as messengers, AI assistants, food delivery apps, cryptocurrencies and more. Some of these apps are available on the official Google Play and AppStore platforms. Kaspersky's telemetry data also shows that infected versions are distributed through other unofficial sources. Over 242,000 downloads of these apps have been made on Google Play.

Who is targeted

The malware mainly targets users in the UAE and countries in Europe and Asia. Experts came to this conclusion based on information about the operating locations of the infected applications as well as technical analysis of the malware. SparkCat scans image collections by searching for keywords in multiple languages, including Chinese, Japanese, Korean, English, Czech, French, Italian, Japanese, Korean, Polish and Portuguese. But experts believe the victims may come from other countries as well.

How SparkCat works

Once installed, in some cases the new malware requests access to the smartphone's photo gallery. It then analyzes the text in the stored images using an optical character recognition (OCR) tool. If the malware detects relevant keywords, it sends the image to the attackers. The hackers' main goal is to identify recovery phrases for cryptocurrency wallets. With this information, they can gain full control over the victim's wallet and steal money. In addition to stealing recovery phrases, the malware can extract other personal information from screenshots, such as messages and passwords.

"This is the first known case of an OCR-based Trojan that managed to infiltrate the AppStore," said Sergey Puzan, a malware analyst at Kaspersky. "As for both the AppStore and Google Play, at this time it is not clear whether the apps in these stores were infected through a supply chain attack or by other means. Some apps, such as food delivery services, appear legitimate, while others are clearly designed as decoys."

"This is the first known case of an OCR-based Trojan that managed to infiltrate the AppStore," said Sergey Puzan, a malware analyst at Kaspersky. "As for both the AppStore and Google Play, at this time it is not clear whether the apps in these stores were infected through a supply chain attack or by other means. Some apps, such as food delivery services, appear legitimate, while others are clearly designed as decoys."

"SparkCat's campaign presents some unique characteristics that make it dangerous. First, it spreads through official app stores and operates without any obvious signs of infection. This Trojan is difficult to detect by both store administrators and mobile users. The permissions it asks for also seem reasonable, and thus easily overlooked. From the user's point of view, access to the gallery that the malware is trying to obtain may appear to be necessary for the application to work properly. Permission is usually requested in a relevant context, for example when users contact customer support," added Dmitry Kalinin, a malware analyst at Kaspersky.

Analyzing versions of the Android malware, Kaspersky experts found comments in the code written in Chinese. In addition, the iOS version contained the developer's "qiongwu" and "quiwengjing" directory names, indicating the familiarity of the threat actors behind the campaign with Chinese. However, there is not enough evidence to attribute the campaign to a known cybercriminal group.

Attacks using ML

Cybercriminals are paying more and more attention to neural networks in their malicious tools.

In the case of SparkCat, the Android module decrypts and executes an OCR-plugin using the Google ML Kit library to recognize text in stored images. A similar method was used in the malicious module for iOS.

Kaspersky's solutions protect Android and iOS users from SparkCat. It is detected as HEUR:Trojan.IphoneOS.SparkCat.* and HEUR:Trojan.AndroidOS.SparkCat.*.

To avoid becoming a victim of this malware, Kaspersky recommends the following security measures:

• If you have one of the infected apps installed, remove it from your device and do not use it until an update is released that addresses the malware.
• Avoid storing screenshots containing sensitive information in your collection, including cryptocurrency wallet recovery phrases. Passwords, for example, can be stored in specialized applications such as Kaspersky Password Manager.
• Reliable cybersecurity software, such as Kaspersky Premium, can prevent malware infections.