Take my money: OCR crypto stealers in Google Play and App Store

Description

Researchers discovered a new malware campaign dubbed 'SparkCat' targeting Android and iOS users through both official and unofficial app stores. The malware, embedded in various apps, uses OCR technology to scan users' image galleries for crypto wallet recovery phrases. Infected apps on Google Play had over 242,000 downloads. This marks the first known case of such a stealer in Apple's App Store. The malware employs Google's ML Kit for OCR and communicates with C2 servers using a custom protocol implemented in Rust. It targets users in Europe and Asia, searching for keywords related to crypto wallets in multiple languages. The campaign has been active since March 2024, demonstrating sophisticated techniques to evade detection.