Security researchers have discovered the first crypto stealer malware on the iOS App Store, which is also available on Android’s Google Play Store.
The stealer is linked to a crypto theft campaign dubbed “SparkCat” that uses optical character recognition (OCR) and machine learning to analyze screenshots and retrieve wallet recovery secrets and passwords.
The malicious campaign spanning nearly a year involves numerous infected apps downloaded hundreds of thousands of times via both official and unofficial app stores.
Crypto stealer malware linked to malicious SDK
The malware is linked to a malicious software development kit (SDK) which utilizes a Java analytics module called “Spark,” thus the name.
Cybersecurity firm Kaspersky, which detected the crypto stealer malware campaign says it cannot confirm whether the infection resulted from a supply chain attack or software developers’ deliberate action.
“In terms of both App Store and Google Play, at the moment it’s unclear whether applications in these stores were compromised through a supply chain attack or through various other methods. Some apps, like food delivery services, appear legitimate, while others are clearly designed as lures,” Kaspersky said.
The crypto stealer uses a Rust-based libmodsvmp.so library to communicate with the command-and-control server (C2), which is atypical of mobile applications. It also utilizes Google’s ML Kit library for OCR to retrieve mnemonic phrases on images. It downloads a configuration file from a GitLab URL or otherwise falls back to default settings when the download fails.
“Once a configuration has been downloaded, Spark decrypts a payload from assets and executes it in a separate thread,” Kaspersky explained.
Kaspersky explained that the payload “is a wrapper for the TextRecognizer interface in Google’s ML Kit library. It loads different OCR models depending on the system language to recognize Latin, Korean, Chinese, or Japanese characters in images.”
To access images, infected apps request to use photo/gallery app permissions, which appears innocuous for many users but carries serious implications.
“The permissions that it requests may look like they are needed for its core functionality or appear harmless at first glance,” Kaspersky warned.
However, they are particularly dangerous as “there’s no indication of a malicious implant hidden within the app.”
The malicious campaign has been active since March 2024. On the Google Play Store where download numbers are available, users have installed the infected apps over 242,000 times.
First crypto stealer malware found on the iOS App Store
“The infected apps were downloaded more than 242,000 times from Google Play. This is the first known case of a stealer being found in the App Store,” Kaspersky said.
Meanwhile, the appearance of a crypto stealer malware on the App Store, “shatters the myth that iOS is somehow impervious to threats posed by malicious apps targeting Android,” Kaspersky stated.
Additionally, the campaign distributes the crypto stealer malware via both official and unofficial app stores, making it difficult to estimate the actual number of victims. It primarily targets victims in Europe and Asia and the threat actor appears to be fluent in Chinese.
ComeCome, a Chinese food distribution app available in UAE and Indonesia with over 10,000 downloads on the Google Play Store, had both the Google Play Store and App Store versions infected with the crypto stealer malware. At the time of publication, ComeCome was still available on App Store.
AI chatbot apps WeTink, ChatAI, and AnyGPT also included the crypto stealer malware code. Kaspersky has published the list of hashes and bundles of infected apps under the ‘indicators of compromise’ section.
Meanwhile, Google Play Store and iOS App Store have removed many offending apps. However, the sheer scope of the campaign suggests that many more crypto stealer malware-infected apps still exist in the wild.
