Stealer apps in App Store for first time, stealing passwords from screenshot
The malware targeting Android and iOS is hidden in inconspicuous-looking apps. These apps gain access to photos and use text recognition.
(Image: iHaMoo/Shutterstock.com)
Security researchers are once again warning of clever stealer apps that are targeting Android users and, for the first time, apparently also iPhone users. The malware, dubbed SparkCat, hides in various inconspicuous-looking apps that are distributed via the official manufacturer stores Google Play and App Store, as security firm Kaspersky reports. It is the first time that such malware has been discovered in Apple's App Store. The company has since removed it.
Malware specifically searches through photo libraries
The scam is as simple as it is effective: The apps ask the user to allow access to the photo library under a pretext, for example if the user wants to contact the app provider's support. If this is granted, the app scans the user's photos and screenshots in particular for certain keywords without being noticed. According to the analysis, Google's text recognition ML Kit is used for this.
The malware then extracts possible matches and uploads them to the attackers' servers. They are primarily interested in gaining knowledge of seed or recovery phrases from crypto wallets, which users save as screenshots for convenience. These phrases can be used to immediately restore the wallet on another device and steal all the cryptocurrencies it contains. The malware is flexible enough to read other sensitive data such as passwords or messages, Kaspersky notes.
Videos by heise
Malware targets users in Europe
According to security researchers, the stealer apps have so far primarily targeted users in Europe and Asia. The Android versions of the stealer have been downloaded around 250,000 times; the number of downloads for the iOS versions remains unclear.
The apps cited by Kaspersky are obscure. Some apps are apparently specifically designed to distribute the malware. However, it is also found in legitimate apps where the developer or provider may not even know about the malware. For example, it could find its way into otherwise well-meaning apps as part of an SDK. It is not known how the malware tricks Google and Apple's checking processes.
Smartphone users can arm themselves against such malware: passwords and especially seed phrases from crypto wallets should generally not be saved as screenshots or photos, and the same applies to other potentially sensitive data. Users should also be suspicious, even if apps want plausible-looking access rights. Photo access on iOS and Android can be restricted to individual images – instead of simply sharing the entire media library.
(lbe)
