A recent study by SecureList reveals the emergence of a malicious SDK named “SparkCat” found in Android and iOS apps, targeting users by stealing crypto wallet recovery phrases. Infected apps on Google Play have reached over 242,000 downloads, and the SDK has been operational since March 2024. The study also identifies five domains as indicators of compromise, with further investigative efforts uncovering a network of connected domains and email addresses. Affected: Android apps, iOS apps, crypto wallet users
Keypoints :
- Malicious SDK “SparkCat” has been found in Android and iOS apps.
- Over 242,000 downloads of infected apps on Google Play.
- First identified crypto stealers available on Apple’s App Store.
- SparkCat has been active since March 2024, as indicated by timestamps in GitLab repositories.
- The report identifies five domains acting as indicators of compromise.
- Research revealed 611 email-connected domains and 179 string-connected domains, with some already weaponized.
- A downloadable sample of artifacts is available on their website.
- Evidence from DNS WHOIS and other API queries provided deeper insights into connected domains and email addresses.
MITRE Techniques :
- T1071 – Application Layer Protocol: Utilized for the communication of stolen data between infected apps and the attacker.
- T1592 – Gather Victim Information: Involves gathering crypto wallet recovery phrases from infected devices.
- T1070 – Indicator Removal on Host: Potentially used to delete traces of the malware after execution.
Indicator of Compromise :
- [Domain] aliyung.com
- [Domain] googleapps.top
- [Domain] ato zb.com
- [Email Address] [email protected] (sample email representing the found public addresses)
- [Domain] connectediom.com
Full Story: https://circleid.com/posts/igniting-a-dns-spark-to-investigate-the-inner-workings-of-sparkcat