Users Warned Against Google Play and App Stores Stealing Cryptocurrency Wallets

A new malicious software development kit is taking over the Google Play and App Store.

Security experts are raising the alarm over the matter including how the SDK can steal crypto wallet recovery phrases. This is through OCR stealers that use optical recognition technology. The latest campaign dubbed SparkCat infects the app without developers having any clue about what’s taking part in this operation.

As per Kaspersky, download figures are available publicly and all infected apps were installed 242,000 times and more. This is what has experts so worried so much as it’s also the first time that a stealer was found on Apple’s App Store.

The malicious Spark SDK uses Java components dubbed Spark. This makes use of encrypted configuration files inside the GitLab that give commands and more details about operations. Through the latest iOS platform, this new framework has a host of various names such as Gzip or stat. It makes use of networking modules that handle communication through command and control servers.

The latest module also uses the Google ML Kit to extract all text from pictures on devices. This locates recovery phrases that load crypto wallets across attackers’ phones without them knowing any credentials of the users.

Various OCR models get loaded depending on which language is used by the system. This way, it can differentiate Korean, Chinese, Japanese, and more inside pictures. After that, it puts out information specifics of the device to command servers. In reply, it gets an object that controls the next operations for this malware.

The malware searches for the pictures' feature secrets by using certain keywords inside different languages that alter with every passing region. As per Kaspersky, while certain apps do display targeting of certain regions, there is a chance of it working externally from the designated geographical spot.

All infected platforms are seen across different App and Google Play Stores. One of those was downloaded more than 50,000 times and while it’s not available through Google Play anymore, it’s still alarming to consider.

There’s a complete list of affected platforms found in this report. If you’ve got any of the applications downloaded on your phone, you should uninstall them without further delay. Instead, make use of antivirus tools on mobile phones for scanning remains. Additionally, factory resets must be considered.

Experts also want users to be aware of storing any recovery phrases linked to cryptocurrency wallets in the form of screenshots. You can opt to have it stored in physical offline media, through the removal of storage files that are encrypted, or even inside vaults that are self-hosted. Another great option outlined is password managers offline.

Apple and Google were contacted to provide the latest list of apps that exist after the crackdown on the malicious ones. We hope they can release them soon so users remain weary of downloads.

Image: DIW-AIgen

Read next: Security Experts Warn Against Millions of Stolen Password Managers Grabbing Users' Credentials
Previous Post Next Post