A recent discovery by Kaspersky researchers has uncovered a concerning issue with several iOS and Android apps available on Apple’s and Google’s official app stores. It has been revealed that these apps contain a malicious software development kit (SDK) that has the ability to extract cryptowallets’ seed recovery phrases.
According to the researchers, the infected apps on Google Play had been downloaded over 242,000 times, marking the first instance of a stealer being found in Apple’s App Store. The malicious SDK, named Spark, is also being distributed through unofficial app stores.
The Spark SDK works by downloading a configuration file and executing a payload that utilizes Google’s ML Kit library for optical character recognition. This payload is specifically designed to target recovery phrases used to access cryptocurrency wallets. The SDK then sends device information to a command and control server, allowing the malware to continue its malicious activities.
Furthermore, the SDK is capable of accessing the device’s image gallery whenever the user initiates a chat with a support team. This grants the SDK permission to search for specific keywords in stored images, indicating a financial motivation behind the attacks.
The researchers discovered the SDK in iOS apps on the App Store as well, with evidence suggesting the creator of the malicious module is fluent in Chinese. However, they were unable to attribute the campaign to a specific cybercrime gang.
The malicious SDK targets users in various European and Asian countries, including China, as well as regions in Africa and the Middle East. It is unclear whether the SDK’s inclusion in these apps was a result of a supply chain attack or a deliberate action by developers.
In response to the threat, Kaspersky has provided indicators of compromise and listed the names of Android and iOS apps containing the malicious SDK. While Google and Apple have removed most of the offending apps, users are advised to check for any of these apps on their devices and remove them promptly. Additionally, using mobile security software and avoiding storing sensitive information unencrypted are recommended precautions.
For users with cryptowallets, it is suggested to transfer funds to a new wallet with a new seed phrase after ensuring their device is clean. Taking these steps from a separate device may offer an added layer of security.
In conclusion, the discovery of the Spark SDK highlights the ongoing threats posed by malware targeting cryptowallets on both iOS and Android platforms. Users are urged to remain vigilant and take necessary precautions to safeguard their sensitive information and assets.