Source URL: https://www.theregister.com/2025/02/07/infected_apps_google_apple_stores/
Source: The Register
Title: Apple missed screenshot-snooping malware in code that made it into the App Store, Kaspersky claims
Feedly Summary: OCR plugin great for extracting crypto-wallet secrets from galleries
Kaspersky eggheads say they’ve spotted the first app containing hidden optical character recognition spyware in Apple’s App Store. Cunningly, the software nasty is designed to steal cryptocurrency.…
AI Summary and Description: Yes
Summary: Kaspersky researchers have uncovered a malicious app, dubbed SparkCat, which utilizes optical character recognition (OCR) spyware to steal cryptocurrency recovery phrases from user devices. This incident highlights vulnerabilities in both iOS and Android platforms, demonstrating that even official app stores can host dangerous applications, thus challenging the perception of inherent security in these ecosystems.
Detailed Description: The discovery of the SparkCat malware by Kaspersky is a significant development in the realm of cybersecurity, specifically regarding information security and mobile app security. The following points underscore its implications:
– **Malware Discovery**: Kaspersky identified an iOS app, ComeCome, with hidden OCR spyware, capable of stealing sensitive cryptocurrency data. It was also available on Google Play.
– **Operation of Malware**:
– The app contains a malicious SDK that decrypts and runs an OCR plugin to locate screenshots of cryptocurrency wallet recovery phrases.
– Once these phrases are captured, they are exfiltrated to an external command-and-control (C2) server, enabling attackers to gain control over users’ crypto wallets.
– **Targets and Impact**: The malware targets users primarily in Europe and Asia, demonstrating a significant reach with over 242,000 downloads across multiple apps on Google Play.
– **Security Challenges**:
– This occurrence raises concerns about the robustness of app store screening processes, as the malware was able to evade initial checks while presenting as a legitimate service.
– The findings suggest that the perception of iOS as a secure platform is not entirely accurate, showcasing its vulnerabilities.
– **Malware Functionality**:
– The malware employs an obfuscated module to optimize its operations, primarily written in Java and utilizing Rust for communication.
– It can deploy various OCR models tailored to different languages, enhancing its ability to extract sensitive information from diverse user bases.
– **User Behavioral Exploits**: The app’s design cleverly manipulates user behavior by requesting access to photo galleries, thus allowing it to access and scan potentially sensitive information vulnerable to theft.
– **Consequences for Security Professionals**:
– This incident emphasizes the need for enhanced scrutiny in app vetting processes, as traditional screening may not be sufficient against sophisticated malware.
– Privacy and security practitioners must educate users about the risks associated with sharing access to camera and gallery features, especially concerning sensitive data like cryptocurrency recovery phrases.
In conclusion, the SparkCat malware incident underscores the ongoing challenges in mobile app security, necessitating a more focused approach to user education and proactive security measures by developers and platform providers alike.