In March 2023, malware was detected in various messaging app mods that targeted Android and Windows users, focusing on crypto wallet recovery phrases found in users’ image galleries. This campaign, dubbed “SparkCat,” utilized OCR technology to exfiltrate sensitive data and has been identified in both the Google Play Store and Apple’s App Store. Although the infected apps were rigorously screened, they still managed to bypass defenses and resulted in over 242,000 downloads. The malware employed complex communication protocols and sophisticated obfuscation techniques, making detection challenging. Affected: Android, iOS, Google Play Store, Apple App Store
Keypoints :
- Malware implants were found in messaging app mods for Android and iOS.
- Targeted recovery phrases for cryptocurrency wallets were extracted using OCR technology.
- Infected apps were available in both Google Play Store and Apple App Store.
- Over 242,000 downloads of infected apps were reported, indicating a significant spread.
- The malware, named “SparkCat,” utilized an unidentified Rust-based protocol for communication.
- Obfuscation techniques made static analysis of the malware challenging.
- Attackers used keywords in various languages to target potential victims.
- The campaign indicates that even iOS apps are vulnerable to sophisticated malware.
MITRE Techniques :
- TA0001 – Initial Access: The malware relied on unofficial app sources as entry points.
- TA0009 – Collection: The malware used OCR to scan users’ galleries for sensitive information.
- TA0011 – Command and Control: Communication with C2 was managed through a Rust-based, hard-to-analyze protocol.
- TA0023 – Credential Dumping: Targeted the recovery phrases for cryptocurrency wallets.
- TA0042 – Resource Development: Use of malicious SDKs installed via official app stores.
Indicator of Compromise :
- [IP Address] api.aliyung.com
- [IP Address] api.aliyung.org
- [URL] https://dmbucket102.s3.ap-northeast-1.amazonaws.com/
- [Hash] 0ff6a5a204c60ae5e2c919ac39898d4f21bf5e05e53c0904b577b9d00588e0e7a4a6d233c677deb862d284e1453eeafb66b819e02776cb0b0f668d8f4f9a71fdf28f4fd4a72f7aab8430f8bc91e8acba51cb671292eeea2cb2a9cc35f2913aa300ed27c35b2c53d853fafe71e63339ed7ac98ca66ed2f131049a41f4447702cd6a49749e64eb735be32544eab5a6452d10c9dcabf0a7ed8b8404cd6b56012ae424db4778e905f12f011d13c7fb6cebde4ee16c54b6c4299a5dfbc8cf91913ea3a8cd933b1cb4a6cae3f486303b8ab20aee714946a8af117338b08550febcd0a90b4ae281936676451407959ec1745d93f99252b23f42b9b054b7233930532fcd
- [Hash] 35fce37ae2b84a69ceb7bbd51163ca8acd6b80de848893722fa11133cbacd0526a9c0474cc5e0b8a9b1e3baed5a26893bbcbf5f3119648466c1300c3c51a1c77fe175909ac6f3c1cce3bc8161808d8b731ebf99e55617a6ca5ab8e77dfd7545602646d3192e3826dd3a71be43d8d2a9e1e14de6de709e4bf0e954100f8b4796b54ac7ae8ace37904dcd61f74a7ff0d42caf92da1d0ff6f8251991d38a840fb4adb128221836b9c0175a249c7f567f620
Full Story: https://securelist.com/sparkcat-stealer-in-app-store-and-google-play/115385/