Recently, it was observed that apps available on the Google Play Store and Apple App Store contain malicious software development kits (SDKs) that steal users’ cryptocurrency wallet recovery phrases. The campaign is called “SparkCat” and was revealed by the Kaspersky company. It is possible that the developers of these apps are involved in this attack unintentionally and unknowingly.
Specifically, according to Kaspersky, the number of downloads published on the Google Play Store has reached more than 242,000, which is the first instance of this on the App Store. The infected Android app utilizes a malicious Java component called “Spark” disguised as an analytics module, which uses Google’s machine learning kit to extract text from images in the device. Malicious SDKs use keywords that vary from region to region to region, looking for images that contain secrets. As a result, it is possible to find the recovery phrase of a specific user’s cryptocurrency wallet and transfer it to the attacker’s device.
The iOS platform also uses different names such as “Gzip”, “googleappsdk”, and “stat”, and employs a Rust-based network module for offensive communication. A study by Kaspersky identified 18 Android apps and 10 iOS apps, some of which are still in the app store.
In particular, an Android app called “ChatAi” has been installed more than 50,000 times and has now been removed from Google Play. If you have already installed such an app on your device, it is recommended that you uninstall it immediately and scan it with mobile antivirus software. In addition, you should also consider resetting it to factory settings.
In general, saving a screenshot of your cryptocurrency wallet’s recovery phrase is an act that should be avoided in itself, and it is preferable to store it on physical offline media, an encrypted removable storage device, or a self-hosted offline password manager vault. This makes it possible to reduce security risks.
BleepingComputer reached out to Apple and Google for comment on the existence of the app, but has not received a response at this time. We should keep an eye out for future updates. In order to protect yourself from these threats, users need to take good measures themselves.
