An alarming new warning for iPhone and Android users has just hit users, with a cybersecurity firm warning that apps in both Google’s Play Store and Apple’s App Store have been infected with “malicious” code that lets attackers empty crypto wallets.
This is yet another case of crafted SDKs corrupting genuine apps, piggybacking onto users’s devices. And it works. Kaspersky says that while “infected apps have been downloaded more than 242,000 times from Google Play. This is the first known case of a styler getting into the App Store.” I have approached both Google and Apple for any response to the new report and confirmation that infected apps have been fixed.
The malicious code works through OCR to scan the symbols gallery of a device in search of possible words and words in several languages that can simply be secret codes to access or recover wallets on the device. This, says Kaspersky, is a game about the type of informed ESET attack in 2023, where dozens of copies of telegrams and cutcases deployed with WhatsApp to borrow clipboard content to access wallets. But he also discovered some of the Copycat applications “using the recognition of optical characters (OCR) to recognize the text of the screenshots stored in compromised devices, which is another first for Android malware. ” It is an evolution of that risk and now it is much worse.
Kaspersky says that “he managed to identify the motivation of the attackers: the attackers fly with prayers to repair access to cryptographic portfolios, which are enough to take the victim’s portfolio in general for a new flight of funds. ” The researchers discovered the new attack at the end of 2024, but the code component was implemented much earlier.
“The malware we called SparkCat used an unidentified protocol implemented in the Rust language, which is rare for mobile applications, to interact with C2. According to the time stamps in the malware files and the dates of creation of configuration files in the repositories on GitLab, SparkCat has been active since March 2024.”
The threat is international, with “the very first application that seemed suspicious to us was an application for food delivery to the UAE and Indonesia called ComeCome (package name – com.bintiger.mall.android),” and one can expect it will spread quickly. The malware can load “different OCR models depending on the system language to distinguish Latin, Korean, Chinese and Japanese characters in the pictures.”
While this seems to have infected more Android than iPhone apps, Kaspersky says that “the App Store has iOS applications infected with a malicious framework with the same Trojan. For example, the ComeCome food delivery app for iOS was infected, as was its Android version. This is the first known case of OCR spy in the official Apple store.”
The infected apps can be found in Kaspersky’s report, and all will likely be patched now these findings have been published. The package names are below — it’s worth a scan to see if you recognize any of the names that might be installed on your phone.
If you have one of the apps, delete them and reinstall them when it is updated safely do not use them. “The Troy is harmful because nothing provides a malicious implant internal to the application,” Kaspersky explains. “Authorizations requested through IT can be used in the main capacity of the application or appear to be harmless, and the malware operates in a fairly secretive manner. “
Kaspersky’s other tips will be a wake-up call for many. “Don’t buy screenshots with sensitive data in the gallery, adding words to redo to crypto wallets. “Instead, he says, “passwords, confidential documents, and other sensitive knowledge can be purchased in special applications. “
Common sense, however, I am sure that the maximum of us has words and prayers committed in our symbols galleries that we have registered as a rapid reminder. Something now.
A community. Many voices. Create a lazy account to pry your thoughts.
Our network aims to attach other people through open conversations and ideas. We need our readers to prove their perspectives and exchange concepts and made in a space.
To do this, follow the publication regulations the situations of use of our site. We have summarized some of those key regulations below. In other words, keep it civil.
Your post will be rejected if we notice that it seems to contain:
User accounts will be blocked if we become aware or that users are compromised:
So how can you be a difficult user?
Thanks for reading our community guidelines. Please read the full list of posting rules found in our site’s Terms of Service.