The recent discovery by Kaspersky researchers has revealed the presence of the first app containing hidden optical character recognition spyware in Apple’s App Store. This malicious software, found in an iOS app called ComeCome, is designed to steal cryptocurrency from unsuspecting victims.
According to Kaspersky analysts Dmitry Kalinin and Sergey Puzan, the ComeCome app, which also exists on Google’s Play store, masquerades as a food delivery service while secretly extracting users’ cryptocurrency wallet recovery phrases. The malicious app is embedded with a malicious SDK/framework that decrypts an optical character recognition (OCR) plugin to hunt for screenshots containing sensitive information on mobile devices.
Once the OCR code is activated, it extracts seed phrases that are essential for gaining control over victims’ crypto wallets and stealing their funds. The stolen seed phrases allow cybercriminals to transfer funds out of the victims’ wallets, highlighting the importance of keeping seed phrases confidential and secure.
The researchers have named this seed-snatching malware SparkCat, which is capable of not only stealing recovery phrases but also other sensitive data such as messages or passwords captured in screenshots. The malware targets Android and iOS users in Europe and Asia, with multiple instances of infected apps in the Google Play store being downloaded over 242,000 times.
Despite rigorous screening by official marketplaces, the infected apps managed to bypass security checks due to the lack of visible indications of malicious activity. This incident dispels the misconception that iOS devices are immune to threats posed by malicious apps, as highlighted by Team Kaspersky.
Apple has taken action by removing the malicious ComeCome application from the iOS store, and other infected apps have also been removed from Google Play. However, it remains unclear whether SparkCat was inserted into these applications through a supply-chain attack or a deliberate act by the developers.
The spyware, most written in Java, utilizes an unidentified protocol implemented in Rust to communicate with its remote command-and-control server. After connecting to the C2 server, Spark downloads OCR models based on the system language to extract characters from images.
Furthermore, the app uses a legitimate third-party SDK to request access to the device’s photo gallery, scanning screenshots for recovery phrases. Users who grant access to the gallery unknowingly expose their sensitive information to cybercriminals, highlighting the effectiveness of social engineering tactics employed by malicious actors.
In conclusion, the emergence of the SparkCat malware serves as a reminder of the evolving threats targeting mobile users and the importance of exercising caution while downloading and interacting with apps. The collaboration between researchers and platform providers is crucial in detecting and mitigating such threats to ensure the security and privacy of users’ sensitive information.