Malicious applications that are uploaded to Google's Play Store or Apple's App Store continue to be a problem for users worldwide. Google said that it blocked more than 2.3 million risky Android apps in 2024 alone.

Kaspersky security researchers have uncovered a recent malware attack. The goal of SparkCat, that is the name Kaspersky gave the malware, was to obtain cryptocurrency recovery codes.

The details:

• Threat actors managed to upload apps to Google Play and App Store.
• Apps were also distributed through unofficial channels.
• The apps were embedded with a malicious SDK.
• SparkCat has been active since at least April 2024.

Kaspersky says that infected apps on Google Play were downloaded more than 240,000 times by users. The malware would install an OCR plugin after launch to scan images on infected devices for recovery codes.

Good to know: Cryptocurrency recovery codes may be used to gain access to wallets. Discovered codes were sent to remote servers for processing.

Kaspersky mentions few of the application names and how they were advertised on Google Play. The app ComeCome-Chinese Food Delivery showed professional looking screenshots of the application. It was downloaded more than 10,000 times according to Kaspersky and popular in Indonesia and the United Arab Emirates.

Another app mentioned by Kaspersky is ChatAI. It had more than 50,000 downloads on Google Play. The number of downloads from unofficial sources is unknown.

Kaspersky came to the following conclusions after analysis of the malware:

• It was designed to target mostly Android and iPhone users in Europe and Asia
• Some applications appear to operate in several countries.
• Some apps supported signing up with phone numbers.

The malware uses the Rust programming language, which is not used widely in mobile apps.

Conclusions

Google and Apple use automated security systems to detect apps during uploads but also after they have been published on the application stores. These protections catch the vast majority of malware, but they are not perfect.

This means that malicious apps will remain an issue for users, even if they limit their downloads to the official stores. This incident highlights that even Apple's defenses are not impenetrable.

We have mentioned such attacks several times in the past. Ashwin mentioned malicious Play Store apps in 2022, and I wrote about a malware that infected 1.5 million Android devices in 2023. Many such stories exist.

Mobile users should not be careless about apps they download or install, but it is sometimes difficult to nearly impossible to determine whether an app is legitimate or not without code analysis or careful monitoring.

It is a good idea to store important documents and information in secure apps. Many password managers support the storing of information, and these are then encrypted using the same algorithms as the passwords.

What is your take on this incident? Do you download and install apps regularly? Use any special form of protection for important data? Let us know in the comment section below.