- Applications delivering malware to users to steal cryptography found on iOS App Store
- Some of these applications have thousands of installations on iOS and Android
- The “Sparkcat” campaign has been active since March 2024
Cryptographic malware nicknamed “Sparkcat” have been discovered in iOS and Android application stores, and is integrated into a “malicious SDK / framework to steal recovery sentences for cryptographic wallets”.
A Kaspersky report has identified malicious applications, some with more than 10,000 downloads, which scan the victims’ gallery to find keywords – if relevant images are found, they are then sent to a C2 server.
This is the first time that a thief has been found in the Apple App Store, and this is important because Apple examines each entry to “help provide a safe and reliable experience to users”, so these applications infected with malware show that the examination process is not as robust as it should be.
Although aimed at stealing cryptocurrency portfolio recovery sentences, Kaspersky notes that malware is “flexible enough” to steal other data sensitive to the victim’s galleries – here is what we know.
Several malicious applications
The “Sparkcat” malware “was discovered for the first time at the end of 2024 and is suspected of being active since March 2024.
The first application identified by Kaspersky was a Chinese food delivery application, Comecome. The application had more than 10,000 downloads and was based in Indonesia and water. The application was integrated with malicious content and contained OCR spy software which chose images of the infected devices to exfiltrate and send to the C2 server.
It was not the only infected application, and the researchers found that the infected applications available in Google Play had been downloaded a combined total of more than 242,000 times. In 2024, more than 2 million risky Android applications were blocked in the Play Store, including some who tried to push malware and spy software – so although Google improves its protections, it is clear that some still do it.
In the App Store, some applications “seemed to be legitimate”, such as food delivery services, while others had apparently been built to “attract victims”. An example of this, underlined the researchers, is a series of omniprese messaging applications on AI similar by the same developer, including Anygpt and Wethink.
It is not clear if these infections are actions deliberate by the developers, or are the result of attacks of the supply chain, but the report notes that the “authorizations it requires may seem necessary for its functionality of base or seems harmless at first glance. “”
“What makes this Troy particularly dangerous is that there is no indication of a malicious implant hidden in the application,” adds Kaspersky.
Mitigate malware
If you have one of the infected applications installed on your device, Kaspersky of course recommends removing it and of the steering until a fix is published – the list of infected applications can be found here.
There is software that can help protect your device, such as antivirus software – and as a key part of this particular malware is the exfiltration of sensitive data via screenshots, the best advice is to avoid Store passwords, confidential documents or sensitive information in your gallery.
Instead, see the best password managers to safely store your information, because it has a much safer and practical option to keep your passwords on your photos. Make sure you do not reuse passwords on several sites and regularly change your passwords to avoid a violation.
There are a few tips to avoid malware applications, and since dangerous malware applications have been installed millions of times, it is always preferable to be safe.
First of all, beware of the warning signs. Browse comments and opinions – in particular negatives, because it is likely that someone else will have already reported a bug. Be very suspicious of an application that requires your existing identification information on social networks – because it could be criminals that seek to divert your account.
