- Apps delivering malware to users to steal crypto found on iOS app store
- Some of these apps have thousands of installs across iOS and Android
- The ‘SparkCat’ campaign has been active since March 2024
Crypto-stealing malware dubbed ‘SparkCat’ has been discovered on iOS and Android app stores, and is embedded with a ‘malicious SDK/framework for stealing recovery phrases for crypto wallets’.
A report from Kaspersky has identified malicious apps, some with upwards of 10,000 downloads, that scan the victims gallery to find keywords – if relevant images are found, they are then sent to a C2 server.
This is the first time a stealer has been found in Apple’s App store, and this is significant because Apple reviews every entry to ‘help provide a safe and trusted experience for users’ – so these malware-infected apps show that the review process is not as robust as it should be.
Although aimed at stealing cryptocurrency wallet recovery phrases, Kaspersky notes that the malware is ‘flexible enough’ to steal other sensitive data from victim’s galleries – here’s what we know.
Multiple malicious apps
The ‘SparkCat’ malware campaign was first discovered in late 2024, and is suspected to have been active since March 2024.
The first app Kaspersky identified was a Chinese food delivery app, ComeCome. The app had over 10,000 downloads and was based in Indonesia and the UAE. The app was embedded with malicious content, and contained OCR spyware which chose images from the infected devices to exfiltrate and send to the C2 server.
This wasn’t the only infected app though, and researchers found that infected apps available in Google Play had been downloaded a combined total of over 242,000 times. In 2024, over 2 million risky Android apps were blocked from the Play Store, including some which tried to push malware and spyware – so although Google is improving its protections, clearly some still make it through.
In the app store, some apps ‘appeared to be legitimate’, like the food delivery services, while others had apparently been built to ‘lure victims’. An example of this, researchers outlined, is a series of similar AI-featured ‘messaging apps’ by the same developer, including AnyGPT and WeTink.
It’s not clear whether these infections are deliberate actions by developers, or are a result of supply chain attacks, but the report does note that the “permissions that it requests may look like they are needed for its core functionality or appear harmless at first glance.”
“What makes this Trojan particularly dangerous is that there’s no indication of a malicious implant hidden within the app” Kaspersky adds.
Mitigating malware
If you have one of the infected apps installed on your device, Kaspersky of course recommends removing it and steering clear until a fix is released – the list of infected apps can be found here.
There is software that can help protect your device, like antivirus software – and as a key part of this malware in particular is the exfiltration of sensitive data through screenshots, the best advice is to avoid storing passwords, confidential documents, or sensitive information in your gallery.
Instead, check out the best password managers to securely store your information, as these present a much safer and convenient option to keeping your passwords in your photos. Make sure you don’t reuse passwords on multiple sites, and change your passwords regularly to avoid a breach.
There are some tricks to avoid malware apps, and considering that dangerous malware apps have been found to have been installed millions of times, it’s always best to be safe.
First of all, be wary of the warning signs. Go through the feedback and reviews – especially the negatives, as it’s likely someone else will have already flagged a bug. Be very suspicious of an app which asks for your existing social media credentials – as this could be criminals looking to hijack your account.