{"id":41833,"date":"2025-02-05T09:57:49","date_gmt":"2025-02-05T09:57:49","guid":{"rendered":"https:\/\/mycryptomania.com\/?p=41833"},"modified":"2025-02-05T09:57:49","modified_gmt":"2025-02-05T09:57:49","slug":"malicious-sdks-on-google-play-and-app-store-steal-crypto-seed-phrases-kaspersky","status":"publish","type":"post","link":"https:\/\/mycryptomania.com\/?p=41833","title":{"rendered":"Malicious SDKs On Google Play And App Store Steal Crypto Seed Phrases: Kaspersky"},"content":{"rendered":"<p><span>Cybersecurity firm Kaspersky Labs has uncovered a sophisticated malware campaign targeting cryptocurrency users through malicious software development kits (SDKs) embedded in mobile apps on Google Play and the Apple App Store. <\/span><\/p>\n<p><span>These compromised apps use an optical character recognition (OCR) tool to scan users\u2019 photos for crypto wallet recovery phrases, allowing hackers to drain funds from affected wallets.<\/span><\/p>\n<p><span>In a 4\u00a0<\/span><a class=\"editor-rtfLink\" href=\"https:\/\/securelist.ru\/sparkcat-stealer-in-app-store-and-google-play\/111638\/\" target=\"_blank\" rel=\"noopener\"><span>February 2025 report<\/span><\/a><span>, Kaspersky analysts Sergey Puzan and Dmitry Kalinin detailed how the malware, known as SparkCat, infiltrates devices and searches for images containing recovery phrases using keyword detection across multiple languages. <\/span><\/p>\n<p><strong><span>EXPLORE:\u00a0<\/span><a class=\"editor-rtfLink\" href=\"https:\/\/99bitcoins.com\/analysis\/crypto-forecast-best-crypto\/\" target=\"_blank\" rel=\"noopener\"><span>10 Coins with High Returns: Crypto Forecast 2025<\/span><\/a><\/strong><\/p>\n<h2><span>Seed Phrases Allow Attackers to Access Crypto Wallets<\/span><\/h2>\n<p><span>Once extracted, these phrases grant attackers complete access to victims\u2019 crypto wallets. \u201cThe intruders steal recovery phrases for crypto wallets, which are enough to gain full control over the victim\u2019s wallet for further theft of funds,\u201d the researchers wrote. <\/span><\/p>\n<p><span>They also warned that the malware\u2019s flexibility enables it to steal other sensitive data, such as passwords and private messages captured in screenshots.<\/span><\/p>\n<p><span>On Android,<\/span><span> the malware disguises itself as a Java-based analytics module called Spark and receives operational updates via an encrypted configuration file stored on GitLab.<\/span><span> It employs Google\u2019s ML Kit OCR to extract text from images stored on infected devices. <\/span><\/p>\n<p><span>If a recovery phrase is detected, the malware transmits it to attackers, who can <\/span><span>then<\/span><span> import the victim\u2019s crypto wallet onto their own devices without needing a password.<\/span><\/p>\n<p><span>Kaspersky estimates that SparkCat has been downloaded approximately 242,000 times since its emergence in March 2023, primarily targeting users in Europe and Asia.<\/span><\/p>\n<p>Since mid-2024, we\u2019ve been tracking a sophisticated Android malware campaign that exploits wedding invitations to deceive users into installing a malicious APK\u2014Tria Stealer.<\/p>\n<p>Once installed, this malware intercepts SMS messages, tracks call logs, and steals data from Gmail and\u2026 <a href=\"https:\/\/t.co\/TQbQjHvmjm\" target=\"_blank\" rel=\"noopener\">pic.twitter.com\/TQbQjHvmjm<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/1886351370841632873?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener\">February 3, 2025<\/a><\/p>\n\n<p><span>The malware has been found across dozens of apps\u2014some appearing legitimate, such as food delivery services<\/span><span>, while<\/span><span> others <\/span><span>are suspiciously designed<\/span><span> to attract victims, such as messaging apps with AI features. <\/span><\/p>\n<p><span>The infected apps share common characteristics, including the use of Rust programming language, which is uncommon in mobile applications, cross-platform functionality, and obfuscation techniques that make detection difficult.<\/span><\/p>\n<p><strong><span>EXPLORE:\u00a0<\/span><a class=\"editor-rtfLink\" href=\"https:\/\/99bitcoins.com\/analysis\/crypto-forecast-best-crypto\/\" target=\"_blank\" rel=\"noopener\"><span>10 Coins with High Returns: Crypto Forecast 2025<\/span><\/a><\/strong><\/p>\n<h2><span>Unidentified Origins<\/span><\/h2>\n<p><span>Puzan and Kalinin stated that it remains uncertain whether the affected apps were intentionally embedded with the malware by developers or compromised through a supply chain attack.<\/span><\/p>\n<p><span>\u201cSome apps, such as food delivery services, appear legitimate, while others are <\/span><span>clearly<\/span><span> built to lure victims,\u201d the researchers noted, adding that several similar-looking AI messaging apps <\/span><span>were traced<\/span><span> back to the same developer.<\/span><\/p>\n<p><span>Although Kaspersky has not attributed SparkCat to any known hacking group, researchers discovered Chinese-language comments and error messages within the malware\u2019s code, leading them to believe that the developer is fluent in Chinese.<\/span><\/p>\n<p><span>The malware bears similarities to a March 2023 campaign discovered by ESET researchers, but its exact origins remain unknown.<\/span><\/p>\n<p><span>Kaspersky urges users to avoid storing sensitive information, such as crypto wallet recovery phrases<\/span><span>, in their photo galleries<\/span><span>.<\/span><span> Instead, they recommend using password managers and regularly scanning for and removing suspicious applications.<\/span><\/p>\n<p><strong><span>EXPLORE:\u00a0<\/span><a class=\"editor-rtfLink\" href=\"https:\/\/99bitcoins.com\/cryptocurrency\/new-coinbase-listings\/\" target=\"_blank\" rel=\"noopener\"><span>15 New &amp; Upcoming Coinbase Listings to Watch in 2025<\/span><\/a><\/strong><\/p>\n<p>The post <a href=\"https:\/\/99bitcoins.com\/news\/malicious-sdks-on-google-play-and-app-store-steal-crypto-seed-phrases-kaspersky\/\">Malicious SDKs On Google Play And App Store Steal Crypto Seed Phrases: Kaspersky<\/a> appeared first on <a href=\"https:\/\/99bitcoins.com\/\">99Bitcoins<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Cybersecurity firm Kaspersky Labs has uncovered a sophisticated malware campaign targeting cryptocurrency users through malicious software development kits (SDKs) embedded in mobile apps on Google Play and the Apple App Store. These compromised apps use an optical character recognition (OCR) tool to scan users\u2019 photos for crypto wallet recovery phrases, allowing hackers to drain funds [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-41833","post","type-post","status-publish","format-standard","hentry","category-discovery"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/41833"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=41833"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/41833\/revisions"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=41833"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=41833"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=41833"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}