First OCR Spyware Breaches Both Apple and Google App Stores To Steal Crypto Wallet Phrases (securelist.com) 18
Kaspersky researchers have discovered malware hiding in both Google Play and Apple's App Store that uses optical character recognition to steal cryptocurrency wallet recovery phrases from users' photo galleries. Dubbed "SparkCat" by security firm ESET, the malware was embedded in several messaging and food delivery apps, with the infected Google Play apps accumulating over 242,000 downloads combined.
This marks the first known instance of such OCR-based spyware making it into Apple's App Store. The malware, active since March 2024, masquerades as an analytics SDK called "Spark" and leverages Google's ML Kit library to scan users' photos for wallet recovery phrases in multiple languages. It requests gallery access under the guise of allowing users to attach images to support chat messages. When granted access, it searches for specific keywords related to crypto wallets and uploads matching images to attacker-controlled servers.
The researchers found both Android and iOS variants using similar techniques, with the iOS version being particularly notable as it circumvented Apple's typically stringent app review process. The malware's creators appear to be Chinese-speaking actors based on code comments and server error messages, though definitive attribution remains unclear.
This marks the first known instance of such OCR-based spyware making it into Apple's App Store. The malware, active since March 2024, masquerades as an analytics SDK called "Spark" and leverages Google's ML Kit library to scan users' photos for wallet recovery phrases in multiple languages. It requests gallery access under the guise of allowing users to attach images to support chat messages. When granted access, it searches for specific keywords related to crypto wallets and uploads matching images to attacker-controlled servers.
The researchers found both Android and iOS variants using similar techniques, with the iOS version being particularly notable as it circumvented Apple's typically stringent app review process. The malware's creators appear to be Chinese-speaking actors based on code comments and server error messages, though definitive attribution remains unclear.
wtf (Score:3, Insightful)
Re:wtf (Score:5, Interesting)
recovery phrases in photo galleries? ummm WTF. People are stupid.
It's the current version of the old "password on a sticky under the keyboard" thing almost every user did a few years back.
Re: wtf (Score:2)
Re: (Score:2)
I think that's why they put it in quotes.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
You realize that writing the recovery words on a sticky note and putting it under the keyboard would mitigate this exploit, right?
Yes, but it doesn't prevent the office clown from logging in as you, snapshotting your desktop, making it your background, then deleting all your icons.
Re: wtf (Score:2)
Re: wtf (Score:2)
If the user accidentally points his phone at the sticky note, a variant of this exploit could defeat the mitigation.
Re: wtf (Score:2)
FTFY
Re: app called ComeCome for Chinese food (Score:1)
They should instead install the $Trumpcoin app and enrich South Africa instead of China.
Re: wtf (Score:3)
Absolutely. Copilot and other AI spyware will just scan those phrases just like anything else while going through your cloud storage without your knowledge and consent.
Security hole in computers (Score:3)
This is no different to having the pass-phrase in a text file: Anyone can read it. Worse, Microsoft and Google make a point of copying on-device photos (for your safety, pinky-swear). Microsoft has even been caught installing Recall spyware that makes photos, copies them, then translates them to literal text as a quote or description. With that sort of security hole in modern computers, it's obvious that anything not encrypted is easily stolen. (I side-step the issue that Recall can watch you encrypting stuff, making the activity, insecure.)
Everyone knows by now, don't attach the password to the device display, don't put it under your keyboard or on your credit card. It demonstrates extreme laziness, to think that a photo is, somehow, more secure. This is simply people refusing to use the software that actually solves this problem: A password manager. Most of them can also encrypt a photo.
Why didn't Norton or McAfee break this?? (Score:1)
How do they break through the protections? (Score:2)
This does not make sense. iOS, for a few years now, has blocked 3rd-party apps to your photo library by default. What's more, when you use a 3rd-party app that wants to read your photos, you authorize each photo you want to share, edit, or whatever you want to do with it, individually.
I'm going to guess and hope that no one is enough of a goofus to share the photo of their crypto wallet passphrase with some random app. So how does this malware break through the OS's protections and get to the rest of the
Re: (Score:2)
you authorize each photo you want to share, edit, or whatever you want to do with it, individually.
That is up to the app. Yes access to Photo gallery is protected by extended permissions that apps don't have by default,
And sure you can change the Permissions you are granting from Full access to limited access and pick specific photos
But an App can still request the Full access to photos at least initially when you install the app. If you are persuaded to click Allow, then the app gets access to you