Regarding the attack method, after the malware has entered the user's phone, it sends images and device information from the infected phone to the attacker's server. SparkKitty is installed in apps with content related to cryptocurrency, gambling, as well as in a fake version of the TikTok app.
These applications are distributed not only through the App Store and Google Play, but also on fraudulent websites. According to experts' analysis, the goal of this campaign could be to steal cryptocurrency from users in Southeast Asia and China. Users in Vietnam are also at risk of facing a similar threat.
Kaspersky cybersecurity experts have sent notices to Google and Apple to handle the above malicious applications. Some technical details show that this new attack campaign is related to SparkCat - a Trojan that was discovered earlier.
SparkCat is the first malware on the iOS platform to have an integrated optical character recognition (OCR) modular to scan users' photobooks, steal screenshots containing passwords or phrases to restore cryptocurrency wallets.
On the App Store, this Trojan malware is disguised as a cryptocurrency-related application called " Economiccoin. In addition, on fraudulent websites designed to fake the iPhone App Store interface, cybercriminals also spread this malware under the cover of the TikTok application and some betting games.
On the Android operating system, attackers target users on both Google Play and third-party websites, by disguising malware as cryptocurrency-related services.
One example of a malware-infected application is SOEX - a messaging application with integrated cryptocurrency trading functions, with more than 10,000 downloads from the official store.
In addition, experts also discovered APK files ( Android application instalments, which can be installed directly without Google Play) of these malware-infected applications on third-party websites, which are believed to be related to the above attack campaign.
These apps are being promoted in the form of cryptocurrency investment projects. Notably, websites that distribute apps are also widely promoted on social networks, including YouTube.
To avoid becoming a victim of this malware, experts recommend that users take the following safety measures:
- If you have successfully installed one of the malware-infected apps, quickly remove the app from your device and do not reuse it until an official update is available to completely remove the malware feature.
- Avoid storing screenshots containing sensitive information in the photo library, especially images with code to restore cryptocurrency wallets. Instead, users can store login information in specialized password management applications.
- Set up trusted security software, for example, to prevent the risk of malware infection.
- When an application requires access to a photo library, users should carefully consider whether this permission is really necessary for the application's main functions.
