Experts discovered that spyware disguised itself as a food ordering APP, stealing the encryption wallet mnemonic

Kaspersky's anti-hacking expert discovered hidden spyware in the Apple Store, a malicious spyware appeared in an iOS ordering app called ComeCome, which can also be downloaded from Google Play, aimed at stealing the seed phrase of Cryptocurrency wallet users to steal Cryptocurrency.

Kaspersky's analysis experts Dmitry Kalinin and Sergey Puzan said that the application will also transfer the victim's Crypto Assets key to the fraud group. According to Kaspersky researchers, this ordering APP is embedded with a malicious SDK framework that can unlock the optical character recognition (OCR) plugin at an unspecified time. When the OCR code starts running, the application will search for screenshots on the mobile device and scan the seed phrase of the Cryptocurrency wallet. After the spyware steals the seed phrase, it will steal the Cryptocurrency in the user's wallet.

Experts also point out that if the seed phrase is stolen by criminal groups, the criminal group behind the application can control the victim's Cryptocurrency wallet and transfer funds. That's why it's best to securely store and access the seed phrase offline, rather than just taking screenshots on a mobile phone.

Apple has already removed the Come Come delivery APP, but what's frightening is that neither Google Play nor Apple's App Store detected the malicious software contained in the application. Currently, there are more than one seemingly normal application like Come Come available for download in the application store, and these applications can completely bypass the review process. Even the trusted Apple Store can be deceived, and these seemingly common APPs conceal hidden dangers, with malicious software SparkCat implanted, targeting sensitive personal account passwords and ( wallets seed phrase.

Malware SparkCat specializes in stealing passwords and seed phrases

Experts have named the malicious software that steals seed phrases SparkCat, and point out that it is flexible enough to not only steal seed phrases, but also sensitive data from other parts of the phone, such as messages or passwords in screenshots.

The Kaspersky team said that criminal groups target Android and iOS users in Europe and Asia. Many apps in the Google Play Store have been infected with SparkCat, and these apps have been downloaded over 242,000 times.

It cannot be confirmed whether SparkCat infiltrated these applications through hackers or the application development team itself is a fraudulent group. Apple has removed the ComeCome APP from the iOS store, and Google Play store has also removed this problematic APP. However, experts are concerned that many seemingly normal commercial applications are still hidden in the store and may be downloaded by unsuspecting users.

How does SparkCat work?

SparkCat refers to a highly obfuscated module named Spark in malicious applications. This spyware is mainly written in Java and uses Rust to implement an unidentified protocol and communicate with its remote command and control server )C2(.

After connecting to its C2 server, the Android version of Spark will download and use a wrapper of the Text Recognizer interface in the Google ML Kit library to extract characters from the screen. This malware will load different OCR models based on the system language to recognize Latin, Korean, Chinese, or Japanese characters in the image. If in contact with the app (through legitimate third-party Easemob Help Desk SDK interaction), the app will request access to the device's image gallery. If the criminals gain access permission, they will use OCR to scan screen screenshots to steal the encryption wallet seed phrase and send it to the C2 server.

How to prevent malicious spyware?

Write down the seed phrase of the encryption wallet with pen and paper, which is the oldest way to protect the seed phrase. Many people take screenshots on their phones for convenience, but experts believe that this method is more dangerous. In addition to not downloading apps from unknown sources, you should always check the app's permissions, such as checking if the recording, video recording, and screen capture functions are inexplicably enabled. Many apps will ask users to grant these permissions during installation, so it's best to check regularly and disable the permissions when not using the app to prevent third-party apps from accessing them, which is an easier basic daily prevention method.

This article Expert discovers spyware disguised as a food ordering APP, stealing encryption wallet seed phrase first appeared on Chain News ABMedia.