Several iOS and Android applications available on the official app stores of Apple and Google have been discovered to have a software development kit (SDK). According to findings by Kaspersky researchers, the SDK enables the extraction of crypto wallet seed recovery phrases.
The researchers have highlighted that the apps that have been compromised on Google Play have crossed over 242,000 downloads. This is the first-ever instance of such a stealer being identified in Apple’s App Store.
In addition to this, these malicious applications have been distributed through unofficial app stores. The harmful SDK is being referred to as Spark, it gets its name from one of its components.
Once it gets activated, it tries to retrieve a configuration file from a GitLab URL and if it is unsuccessful in doing so, it resorts to default settings. As soon as the configuration is downloaded successfully, Spark decrypts a payload from its assets and executes it in a separate thread.
This payload acts as a wrapper for the TextRecognizer interface, which was found in the ML Kit Library of Google. It loads several optical character recognition (OCR) models based on the system language to identify Chinese, Korean, Latin, or Japanese characters within images.
The SDK transfers device information to a command and control (C2) server. The server then responds with an object that dictates subsequent malware operations, like modifications that ensure the malware remains active. (we recently diagnosed malware types and protection against them for our user’s better understanding and precautions)
The researchers noted, “If access is granted, the SDK initiates its primary functions by sending a request to /api/e/config/recognition on the C2 server to obtain parameters for processing OCR results. These parameters are utilized by processor classes that filter images based on the words recognized by OCR.”
They added, “Curious about the types of images the attackers were targeting, the researchers requested a list of keywords for OCR-based searches from the C2 servers. They received terms in Chinese, Japanese, Korean, English, Czech, French, Italian, Polish, and Portuguese.”
Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment Policy.