Kaspersky Discovers Malicious SDKs in Apps Targeting Crypto Wallets on Android and iOS
Kaspersky Discovers Malicious SDKs in Apps Targeting Crypto Wallets on Android and iOS
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Kaspersky Discovers Malicious SDKs in Apps Targeting Crypto Wallets on Android and iOS
Kaspersky Lab has uncovered multiple applications on the Google Play Store and Apple App Store that are infected with a malicious SDK designed to steal mnemonic phrases or recovery keys from cryptocurrency wallets.
Hackers registered a domain similar to Alibaba Cloud’s official domain—aliyung[.]com—possibly as an intentional deception. If you are a cryptocurrency investor, it is highly recommended that you check the list of malicious apps to ensure you have not installed any of them.
In a recently published analysis, Kaspersky detailed this malicious activity, marking the first time the company has detected iOS apps using OCR (Optical Character Recognition) to steal crypto wallet mnemonic phrases.
The “SparkCat” Attack Campaign
Kaspersky has named this attack campaign “SparkCat,” derived from the name of the malicious SDK—Spark. It is believed that many app developers unknowingly integrated this malicious SDK into their applications.
According to statistics, apps containing this malicious SDK have been downloaded over 242,000 times on Google Play alone. However, as Apple’s App Store does not publicly disclose download statistics, the number of affected iOS users remains unknown.
How the Attack Works
This attack primarily targets cryptocurrency investors. Once an infected app is installed, it uses OCR technology to detect and extract mnemonic phrases or recovery keys from crypto wallets. The stolen information is then transmitted to a hacker-controlled server, allowing attackers to regain access to victims’ wallets and drain their funds.
Among the infected apps, the most downloaded was ChatAi, which surpassed 50,000 downloads. Following Kaspersky’s report, Google has removed this app from the Play Store to prevent further damage.
Global Targeting with Multilingual Attacks
Through an in-depth analysis of the malicious SDK, Kaspersky discovered that the hackers are targeting users of Chinese, Japanese, Korean, and Latin scripts. While there is no concrete evidence that the attack is restricted to specific regions, the findings suggest a global-scale threat. Crypto users worldwide should remain vigilant against such threats.
