Cairo: TECHz- News Desk
Kaspersky has identified a new variant of the SparkCat Trojan in the App Store and Google Play – a year after the crypto-stealing malware was first discovered and removed from both platforms. The Trojan hides inside legitimate-looking apps and scans users’ photo galleries for cryptocurrency wallet recovery phrases.
The new version of SparkCat is distributed through infected legitimate apps – a messenger designed for enterprise communication and a food delivery app. Kaspersky experts found two infected apps on the App Store and one on Google Play, from which the malicious code has since been removed. Kaspersky telemetry shows that the apps infected with SparkCat are also distributed through third-party sources. A few of these web pages are mimicking the App Store if opened from an iPhone.
The updated variant of the Trojan for Android scans image galleries on the compromised devices for screenshots containing specific keywords in Japanese, Korean, and Chinese, leading Kaspersky experts to assess that this campaign primarily targets cryptocurrency assets of users in Asia. The iOS variant, however, takes a different approach as it scans for cryptocurrency wallet mnemonic phrases, which are in English. This makes the iOS variant potentially broader in reach, as it can affect users regardless of their region.
The updated SparkCat version for Android features multiple obfuscation layers compared to previous versions, including code virtualization and cross-platform programming language usage – techniques that are rare for mobile malware.
