The discovery of malware embedded within multiple iOS and Android apps available on both Apple’s App Store and Google’s Play Store has raised significant security concerns. Researchers at Kaspersky have identified an embedded software development kit (SDK) labeled ‘Spark,’ which allows these apps to exfiltrate recovery phrases for cryptowallets. This malicious software is designed to hijack specific data from cryptowallets, often used for storing and managing cryptocurrency funds.
The Scale of the Threat
Widespread Distribution
One of the most alarming aspects of this discovery is the sheer scope of the threat, as the infected apps have been downloaded over 242,000 times from the Google Play Store alone. This marks a significant distribution scale and highlights a critical vulnerability in the vetting processes of these platforms. The revelation that this is the first instance of stealer malware being identified in Apple’s App Store adds further urgency to the matter, underlining that both major app ecosystems are susceptible to such threats. The presence of these apps in official stores raises critical security alarms, as it indicates a breach in the vetting processes of these platforms.
Furthermore, it starkly illustrates the evolving techniques used by cybercriminals to infiltrate secure environments. Both Apple and Google pride themselves on their rigorous app review processes, designed to protect users from malicious software. However, the successful infiltration of these apps indicates that those processes are not infallible. The wide distribution of these harmful apps through such trusted channels only amplifies the potential damage, putting a vast number of users at risk of losing their essential financial information.
The ‘Spark’ SDK Mechanism
The technical sophistication of the ‘Spark’ SDK is a key factor in its success. Once initialized, the SDK attempts to download a configuration file from a GitLab URL and uses default settings if it cannot complete this task. This adaptability ensures that the malware can operate even in less-than-ideal conditions, making it more resilient against various network protections and defenses. After this initial step, the SDK decrypts a payload and executes it in a separate thread, a technique that helps it avoid detection and maintain persistence on the infected device.
This payload acts as a wrapper for the TextRecognizer interface within Google’s ML Kit library. This function enables the SDK to load various optical character recognition (OCR) models based on the system language to recognize text in Latin, Korean, Chinese, or Japanese within images. The ability to process text from images broadens the malware’s data collection capabilities, allowing it to scan and identify specific keywords within the user’s image gallery. This means that any photo containing sensitive information, such as handwritten notes with cryptowallet recovery phrases, could be targeted and exfiltrated without the user’s knowledge.
How the Malware Operates
Command and Control (C2) Server Interaction
The ‘Spark’ SDK employs a highly coordinated interaction with a Command and Control (C2) server to carry out its malicious activities. Upon installation, the SDK sends detailed device information to the C2 server, which then guides the subsequent actions of the malware. This initial communication allows the server to tailor its instructions and maximize the effectiveness of data exfiltration efforts. When a user initiates certain interactions, such as starting a chat with customer support, the SDK requests permission to access the device’s image gallery. If granted, this access becomes a gateway for further nefarious activities.
Once permission is obtained, the SDK sends a request to a specific API endpoint of the C2 server, which in return provides parameters for processing OCR results. These results are then used to filter images on the device based on keywords that signify financial terms or cryptowallet recovery phrases. This step is crucial as it narrows down the vast amount of data to only those pieces of information that are of high value to the attackers. The precise targeting of financially sensitive information underscores the sophisticated and financially motivated nature of this malware.
Targeting Financial Information
The processor classes within the SDK use the parameters provided by the C2 server to filter through the images stored on the device, searching for OCR-recognized words that indicate financial relevance. The malware focuses on capturing photos that contain these specific keywords, which are then selectively uploaded to the C2 server. This method ensures that only information with potential financial value is transmitted, reducing the volume of data and minimizing the chances of detection.
Kaspersky’s in-depth investigation revealed that the attackers were particularly interested in recovery phrases, also known as ‘mnemonics.’ These phrases comprise a series of words that can be used to regain access to cryptocurrency wallets. By targeting these critical pieces of information, the malware facilitates unauthorized access to the victim’s cryptocurrency holdings. The malware demonstrates a multilingual capability, searching for keywords in English, Chinese, Japanese, Korean, as well as in Czech, French, Italian, Polish, and Portuguese. This global approach reflects the broad scope of the attackers’ ambitions and their intent to target users across different regions and languages.
Global Scope and Attribution
Language and Regional Targeting
The broad linguistic capabilities of the malware show a clear intention to target users on a global scale. By incorporating support for multiple languages, including English, Chinese, Japanese, Korean, Czech, French, Italian, Polish, and Portuguese, the malware extends its reach across diverse regions. This multilingual scope indicates a highly strategic approach, aiming to maximize the potential pool of victims. The researchers identified that the code comments and error messages were written in Chinese, suggesting that the creator of this malicious SDK might be a Chinese speaker. However, these linguistic clues alone are insufficient to definitively attribute the campaign to a specific group or individual.
The ability to target a wide range of languages also hints at the involvement of seasoned cybercriminals who understand the importance of broadening their attack surface. The malware’s capacity to recognize and process text in multiple languages enables it to operate effectively in various cultural and regional contexts. This level of sophistication points to a well-resourced and expertly managed campaign, leveraging advanced techniques to bypass security measures and exploit vulnerabilities in widely used applications.
Lack of Conclusive Attribution
Despite the advanced technical analysis and the clues found within the malware’s code, Kaspersky’s researchers could not conclusively attribute the campaign to a known cybercrime group. The absence of definitive evidence linking the malicious SDK to a recognized entity complicates efforts to identify the perpetrators and understand their broader objectives. The oldest version of this malicious SDK was built on March 15, 2024, a timeline that paralleled another significant finding by ESET researchers. ESET had uncovered trojanized versions of WhatsApp and Telegram apps, which utilized similar techniques to steal and modify clipboard content and recognize text in screenshots.
These trojanized apps were distributed through fake Telegram and WhatsApp websites, with potential victims directed to download links via Google Search ads. The similarities between these cases suggest the possibility of a larger, coordinated effort to exploit popular communication and financial tools. Yet, without concrete attribution, the cybersecurity community must remain vigilant and focus on detection, mitigation, and user education to reduce the impact of such threats.
The ‘SparkCat’ Campaign
Broader Target Audience
The wider implications of this malware campaign, dubbed ‘SparkCat’ by Kaspersky, reveal its extensive threat landscape. The campaign targeted a broad audience, including cryptowallet users in various European and Asian countries. Additionally, there were instances of the malware targeting users in African and Middle Eastern nations such as Zimbabwe and the UAE. This widespread targeting indicates a deliberate strategy to capture a diverse and geographically dispersed user base, further highlighting the campaign’s global reach.
The researchers faced challenges in determining whether the inclusion of the malicious SDK in these apps resulted from a supply chain attack or intentional developer actions. Some of the infected apps appeared legitimate, suggesting the possibility that developers might have unwittingly incorporated the SDK, believing it to be a beneficial addition. Conversely, other apps seemed expressly designed to lure victims, raising the possibility of deliberate malicious intent by some developers. These differing scenarios underline the need for developers to exercise extreme caution and ensure robust security checks when incorporating third-party SDKs into their applications.
Bypassing Security Checks
A particularly concerning aspect of the ‘SparkCat’ campaign is the relative ease with which the malicious SDK bypassed security checks to appear on official app stores. Despite the rigorous screening processes employed by Apple and Google, the SDK managed to evade detection and gain approval for distribution. The permissions requested by the apps were standard, often appearing to users as legitimate and necessary for app functionality. This element of deception played a critical role in the malware’s ability to infiltrate devices without arousing suspicion.
The SDK itself was stealthy, employing heavy obfuscation tactics and using legitimate-looking domains to mask its true nature. Its inactivity until specific conditions were met further contributed to its ability to fly under the radar. This sophisticated approach underscores the evolving tactics of cybercriminals, who continuously adapt to circumvent security measures and exploit new vulnerabilities. The success of these tactics calls for ongoing improvements in app store vetting processes and the development of more advanced detection methods to safeguard users against such threats.
Mitigation and User Protection
Indicators of Compromise
To help mitigate the risk posed by this malware, Kaspersky has provided indicators of compromise and listed the names of infected Android and iOS apps. These apps spanned various categories, including food delivery, AI chatbots, cryptocurrency exchange/wallets, payment, news, VPN, messaging, and sports. The diversity of these categories highlights the widespread nature of the threat and underscores the importance of vigilance in app usage. Although Google and Apple had removed most of the offending apps from their official stores, some remained accessible when the article was published, emphasizing the need for continuous monitoring and user awareness.
Users were urged to stay informed and proactively check their devices for any of the listed apps. The importance of such steps cannot be overstated, as early detection and removal of these compromised apps can significantly reduce the risk of data exfiltration. Additionally, utilizing mobile security software capable of detecting such threats provides an extra layer of protection, helping users maintain the security and integrity of their devices and sensitive information.
User Recommendations
To further safeguard against these threats, users were advised to take several critical steps. First, they should thoroughly check for and uninstall any of the listed apps if found on their devices. Employing mobile security software that offers a comprehensive cleanup feature can help ensure that no remnants of the malware remain. Additionally, users were encouraged to avoid storing unencrypted sensitive information on their devices, as this practice can exacerbate the risk of data compromise.
For those whose cryptowallets remained uncompromised, a proactive measure involved transferring their funds to new wallets with new seed phrases, preferably from a different, clean device. This transfer ensures that any potentially compromised recovery phrases are rendered useless to attackers, providing an added layer of security for the users’ cryptocurrency holdings. These recommended actions underscore the importance of vigilance and proactive measures in maintaining cybersecurity, particularly in light of sophisticated and evolving threats like the ‘Spark’ SDK.
Google’s Response
The recent discovery of malware embedded in several iOS and Android apps available on both Apple’s App Store and Google’s Play Store has raised serious security alarms. Researchers at cybersecurity firm Kaspersky have uncovered an embedded software development kit (SDK) called ‘Spark,’ which enables these apps to steal recovery phrases for cryptowallets.
This malicious SDK is specifically designed to hijack sensitive data from cryptowallets, which are often used for storing, transferring, and managing cryptocurrency funds. The presence of ‘Spark’ in widely available apps means that users of these platforms are at significant risk of having their cryptocurrency compromised.
This revelation highlights the ongoing challenges in securing mobile app environments and the critical need for vigilant security measures. Both Apple and Google face increased pressure to tighten their app review processes and safeguard against such threats, ensuring the safety and security of their users’ data in the ever-growing world of digital assets.
