Crypto Wallets Under Attack: Malware Sneaks into App Store with OCR Trickery

Crypto Wallets at Risk as Malware Sneaks into App Store

Overview

• Date: February 5, 2025
• Source: Kaspersky researchers have identified a new malware campaign targeting iOS and Android devices.

Malware Details

• Name: SparkCat
• Function: Steals cryptocurrency wallet recovery phrases using optical character recognition (OCR).
• Scope: Affects multiple apps on both app stores, with some identified but many remaining unnamed.
• Downloads: Infected apps on Google Play had over 242,000 downloads.
• First Detection: Found in a food delivery app called ComeCome, available in the UAE and Indonesia.

Threat Characteristics

• Stealth: Malware has been active since March 2024, scanning users' photo galleries for wallet recovery phrases.
• Communication: Uses a custom protocol built in Rust to communicate with attacker-controlled servers.
• Legitimacy: Infected apps appeared legitimate, including food delivery and AI-powered messaging apps.

Actions Taken

• App Removal: Apple and Google have removed most affected apps.
• Security Advice: Users should delete suspicious apps, check crypto wallets for unauthorized access, and consider transferring funds to a new wallet if compromised.

Preventive Measures

• Regular App Review: Check installed apps regularly and remove unfamiliar or unnecessary ones.
• Mobile Security Apps: Use reputable security apps to detect potential threats.
• Resetting Device: If compromised, delete suspicious apps, reset app permissions, and clear cached data. Ensure backups are clean before restoration.