An alarming new warning for iPhone and Android users has just hit users, with a cybersecurity firm warning that apps in both Google’s Play Store and Apple’s App Store have been infected with “malicious” code that lets attackers empty crypto wallets.
This is yet another case of crafted SDKs corrupting genuine apps, piggybacking onto users’s devices. And it works. Kaspersky says that while “infected apps have been downloaded more than 242,000 times from Google Play. This is the first known case of a styler getting into the App Store.” I have approached both Google and Apple for any response to the new report and confirmation that infected apps have been fixed.
The malicious code works by using OCR to scan a device’s image gallery for potential words and phrases in multiple languages that might be secret codes to access or recover wallets on the device. This, says Kaspersky, is a play on the type of attack reported by ESET in 2023, where dozens of Telegram and WhatsApp copycats deployed clippers to steal clipboard content to access wallets. But ESET also discovered some of the copycat apps “using optical character recognition (OCR) to recognize text from screenshots stored on the compromised devices, which is another first for Android malware.” This is a evolution on that threat and it’s now much worse.
Kaspersky says it “managed to establish the motivation of the attackers — attackers steal phrases to restore access to crypto wallets, which are enough to gain full control over the victim’s wallet for further theft of funds.” The researchers found the new attack at the end of 2024, but some of the code was deployed much earlier.
“The malware we called SparkCat used an unidentified protocol implemented in the Rust language, which is rare for mobile applications, to interact with C2. According to the time stamps in the malware files and the dates of creation of configuration files in the repositories on GitLab, SparkCat has been active since March 2024.”
The threat is international, with “the very first application that seemed suspicious to us was an application for food delivery to the UAE and Indonesia called ComeCome (package name – com.bintiger.mall.android),” and one can expect it will spread quickly. The malware can load “different OCR models depending on the system language to distinguish Latin, Korean, Chinese and Japanese characters in the pictures.”
While this seems to have infected more Android than iPhone apps, Kaspersky says that “the App Store has iOS applications infected with a malicious framework with the same Trojan. For example, the ComeCome food delivery app for iOS was infected, as was its Android version. This is the first known case of OCR spy in the official Apple store.”
The infected apps can be found in Kaspersky’s report, and all will likely be patched now these findings have been published. The package names are below — it’s worth a scan to see if you recognize any of the names that might be installed on your phone.
“Package names of infected Android applications from Google Play
com.crownplay.vanity.address
com.atvnewsonline.app
com.bintiger.mall.android
com.websea.exchange
org.safew.messenger
org.safew.messenger.store
com.tonghui.paybank
com.bs.feifubao
com.sapp.chatai
com.sapp.starcoin
BundleIDs encrypted in the body of iOS frameworks
im.pop.app.iOS.Messenger
com.hkatv.ios
com.atvnewsonline.app
io.zorixchange
com.yykc.vpnjsq
com.llyy.au
com.star.har91vnlive
com.jhgj.jinhulalaab
com.qingwa.qingwa888lalaaa
com.blockchain.uttool
com.wukongwaimai.client
com.unicornsoft.unicornhttpsforios
staffs.mil.CoinPark
com.lc.btdj
com.baijia.waimai
com.ctc.jirepaidui
com.ai.gbet
app.nicegram
com.blockchain.ogiut
com.blockchain.98ut
com.dream.towncn
com.mjb.hardwood.Test
com.galaxy666888.ios
njiujiu.vpntest
com.qqt.jykj
com.ai.sport
com.feidu.pay
app.ikun277.test
com.usdtone.usdtoneApp2
com.cgapp2.wallet0
com.bbydqb
com.yz.Byteswap.native
jiujiu.vpntest
com.wetink.chat
com.websea.exchange
com.customize.authenticator
im.token.app
com.mjb.WorldMiner.new
com.kh-super.ios.superapp
com.thedgptai.event
com.yz.Eternal.new
xyz.starohm.chat
com.crownplay.luckyaddress1”
If you have any of the apps, delete them and reinstall them when updated — certainly do not use them. “The Trojan is particularly dangerous because nothing gives out a malicious implant inside the application,” Kaspersky says. “The permissions requested by it can be used in the main functionality of the application or seem to be seemingly harmless, and the malware works quite secretly.”
The other advice from Kaspersky will be a wake-up call for many. “Do not store screenshots with sensitive information in the gallery, including phrases to restore access to cryptocurrency wallets.” Instead, it says, “passwords, confidential documents and other sensitive data can be stored in special applications.”
Common sense, but I’m sure most of us have compromising words and phrases in our image galleries that we’ve saved as a quick reminder. Something to think about now.
Read the full article here
