Full Report
Kaspersky experts discover iOS and Android apps infected with the SparkCat crypto stealer in Google Play and the App Store. It steals crypto wallet data using an OCR model.
Analysis Summary
# Tool/Technique: OCR Crypto Stealer Framework (Implied SparkCat Stealer Variant)
## Overview
This entry summarizes findings regarding a malicious framework embedded within applications distributed via both Google Play (Android) and the App Store (iOS). The primary purpose of this framework is the theft of cryptocurrency information, likely utilizing Optical Character Recognition (OCR) capabilities to harvest sensitive data displayed on the screen. The malware operates stealthily, often disguised within seemingly legitimate applications like food delivery or AI messaging services.
## Technical Details
- Type: Malware Framework / Trojan
- Platform: Android and iOS
- Capabilities: Cryptocurrency theft via screen scraping/OCR; C2 communication; Stealthy operation.
- First Seen: Context implies detection around February 2025 based on the article date.
## MITRE ATT&CK Mapping
*Note: Specific T-IDs are inferred based on the described functionality (screenshotting/OCR theft on mobile devices).*
- **TA0001 - Initial Access**
- *(Potential T1485 - Data from Local System, if data exfiltration is considered part of the access chain, though more likely Post-Exploitation step)*
- **TA0010 - Exfiltration**
- **T1041 - Exfiltration Over C2 Channel**
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol** (Implied by C2 communication)
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (Due to stealthy operation)
## Functionality
### Core Capabilities
- **Cryptocurrency Theft:** Specifically targets credentials or key information related to cryptocurrency wallets by potentially capturing or reading screen content (implied OCR capability matching known crypto stealers).
- **Cross-Platform Operation:** Evidence suggests the framework targets both Android (via APK like `com.bintiger.mall.android`) and iOS devices.
- **Stealth:** The malware implants do not heavily rely on high-risk permissions, appearing to request permissions necessary for the legitimate functions of the host application.
### Advanced Features
- **C2 Communication:** Sends device information (e.g., `deviceType` set to 'android') to a Command and Control (C2) server.
- **Localization Clues:** Error messages returned by the C2 server and code comments within the resource files were in Chinese, suggesting the developer is a fluent Chinese speaker.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: Affected APK name observed: `com.bintiger.mall.android`
- Registry Keys: [Not applicable/Not provided]
- Network Indicators: C2 server communication endpoints are present but not listed in the provided context (will be blank unless explicitly mentioned in future sections). The communication protocol uses application layer protocols.
- Behavioral Indicators: Sending device type information to C2; Returning Chinese language error responses from C2.
## Associated Threat Actors
- No definitive attribution to a known cybercrime gang could be made based on the data provided, though the developer shows strong ties to the Chinese language.
## Detection Methods
- Signature-based detection: Likely requires signatures for the specific malicious SDK/framework embedded.
- Behavioral detection: Monitoring for unusual connections to external C2 servers originating from seemingly benign apps, especially those requesting unusual background operations or screen interaction permissions.
- YARA rules: [Not provided]
## Mitigation Strategies
- **Application Vetting:** Rigorous screening and analysis must be applied to apps, even those that appear legitimate or pass initial marketplace security checks.
- **Principle of Least Privilege:** Users should monitor permissions requested by installed applications, especially those related to accessibility or screen reading if such techniques are suspected.
- **iOS Security Awareness:** Recognizing that iOS devices are also susceptible to application-based threats, contrary to common assumptions.
## Related Tools/Techniques
- OCR-based crypto wallet theft scams (General category).
- This implementation appears related to other supply-chain or platform-specific malware designed to steal mobile financial credentials.