Full Report
A new malware campaign dubbed SparkCat has leveraged a suit of bogus apps on both Apple's and Google's respective app stores to steal victims' mnemonic phrases associated with cryptocurrency wallets. The attacks leverage an optical character recognition (OCR) model to exfiltrate select images containing wallet recovery phrases from photo libraries to a command-and-control (C2) server,
Analysis Summary
# Tool/Technique: SparkCat Stealer
## Overview
SparkCat is a malware campaign that utilizes seemingly legitimate applications distributed on both Apple's App Store and Google Play to steal victims' cryptocurrency wallet mnemonic phrases. It employs Optical Character Recognition (OCR) to scan images in photo libraries for recovery phrases and exfiltrates them to a Command and Control (C2) server.
## Technical Details
- Type: Malware Family (Information Stealer)
- Platform: iOS, Android
- Capabilities: OCR-based credential theft, C2 communication via Rust-based mechanism, masquerades as legitimate apps (AI, food delivery, Web3).
- First Seen: Active since March 2024
## MITRE ATT&CK Mapping
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
- TA0009 - Collection
- T1119 - Automated Collection
- T1119.001 - OCR (Implied via screenshot/image analysis of photo library)
- TA0005 - Defense Evasion
- T1218 - Signed Binary Proxy Execution (Potentially, depending on SDK usage/signing)
## Functionality
### Core Capabilities
- **Image Harvesting:** Accesses user photo libraries to scan images.
- **OCR Processing:** Uses Google's ML Kit library (on both Android and iOS) to recognize text within images.
- **Keyword Matching:** Filters images based on keywords received from the C2 server (likely searching for seed/mnemonic phrase patterns).
- **Exfiltration:** Sends matching images containing wallet recovery phrases to the C2 infrastructure.
### Advanced Features
- **Cross-Platform Deployment:** Successfully deployed on both Android (Google Play, >242,000 downloads suspected) and iOS (Apple App Store).
- **Stealthy Persistence:** Relies on seemingly benign permissions requests, offering no easily identifiable malicious implant upon initial inspection.
- **Rust C2 Communication:** Utilizes a Rust-based communication mechanism for C2, which is noted as rare in mobile applications.
- **Embedded SDK:** Employs an embedded Software Development Kit (SDK) using a Java component named "Spark," masquerading as an analytics module.
## Indicators of Compromise
- File Hashes: [Information not provided in the text]
- File Names: [Information not provided in the text, relies on app store names]
- Registry Keys: [Not applicable to mobile OS focus listed here]
- Network Indicators: C2 servers (Specific addresses/domains are **defanged** as they were not explicitly listed in the source text, only the behavior of C2 interaction is described).
- Behavioral Indicators: Abnormal scanning of the photo library, high network traffic related to image uploads, use of Google's ML Kit for unauthorized text recognition on gallery images.
## Associated Threat Actors
- Threat actor fluent in Chinese, primarily targeting users in Europe and Asia.
## Detection Methods
- Signature-based detection: Difficult due to the lack of a distinct malicious implant; detection would rely on app submission filtering.
- Behavioral detection: Monitoring for applications accessing the photo gallery and performing heavy OCR processing, followed by subsequent network communication.
- YARA rules: [YARA rules are not provided or mentioned in the text]
## Mitigation Strategies
- Proper vetting of applications downloaded from official and unofficial app stores.
- Scrutinizing app reviews and verifying developer authenticity before installation.
- Limiting permissions for non-essential mobile applications, particularly sensitive ones like photo library access.
## Related Tools/Techniques
- Mobile malware campaigns using OCR capabilities (e.g., the previously detected Android malware that used OCR).
- General Information Stealers targeting cryptocurrency data (e.g., Poseidon, Atomic, Cthulhu for macOS, though distinct platforms).
---
# Tool/Technique: FatBoyPanel Malware Campaign
## Overview
FatBoyPanel is a mobile malware campaign primarily targeting Android users in India. It distributes malicious APK files disguised as banking and government applications via WhatsApp, focusing on harvesting sensitive personal and financial information, including SMS messages and OTPs.
## Technical Details
- Type: Malware Campaign (Banking Trojan, Information Stealer)
- Platform: Android
- Capabilities: SMS interception, OTP harvesting, data exfiltration to unauthenticated Firebase endpoints.
- First Seen: Active shortly before the reporting period described. Current data hoard suggests significant activity.
## MITRE ATT&CK Mapping
- TA0010 - Exfiltration
- T1048 - Exfiltration Over Alternative Protocol (SMS/Messaging)
- TA0009 - Collection
- T1056.001 - Input Capture: Keylogging (Implied via sensitive data collection)
- TA0005 - Defense Evasion
- T1562.001 - Disable or Modify Tools (Potential, often associated with OTP theft to prevent 2FA verification)
## Functionality
### Core Capabilities
- **Delivery:** Distribution via WhatsApp using malicious APK files.
- **Masquerade:** Pretends to be legitimate banking or government applications.
- **Data Harvesting:** Collects sensitive personal data, bank details, credit/debit card information, and government IDs.
- **OTP Theft:** Intercepts SMS messages containing One-Time Passwords (OTPs).
### Advanced Features
- **SMS Redirection/Harvesting:** Leverages approximately 1,000 hardcoded live phone numbers as exfiltration points for intercepted SMS messages and OTPs, rather than relying solely on traditional C2 servers for OTP theft.
- **Unsecured Data Storage:** Stores the harvested 2.5 GB of sensitive data on Firebase endpoints accessible without authentication.
## Indicators of Compromise
- File Hashes: [Information not provided in the text]
- File Names: Malicious APKs disguised as various applications.
- Registry Keys: [Not applicable to mobile OS focus listed here]
- Network Indicators: Exfiltration points utilize roughly 1,000 hardcoded phone numbers for SMS capture. Data hosting on unauthenticated Firebase endpoints (Specific domains/IPs **defanged**).
- Behavioral Indicators: Requesting SMS read/write permissions, high volume of SMS activity, and unusual outbound traffic to Firebase links.
## Associated Threat Actors
- Unnamed threat actor(s) associated with the campaign named FatBoyPanel, specifically targeting Indian device owners.
## Detection Methods
- Signature-based detection: Detection of known malicious APK payloads.
- Behavioral detection: Monitoring for apps aggressively requesting SMS permissions and accessing large volumes of message/financial data.
- YARA rules: [YARA rules are not provided or mentioned in the text]
## Mitigation Strategies
- Avoid installing APKs received via messaging platforms like WhatsApp unless the source and application authenticity are absolutely verified.
- Implement strong multi-factor authentication that uses methods less susceptible to SMS interception if possible (e.g., hardware tokens).
- Regularly audit app permissions on Android devices.
## Related Tools/Techniques
- Conventional banking Trojans that rely on C&C servers for OTP theft.
- Mobile malware campaigns utilizing social engineering for direct APK distribution.