Malwareattack

#Alert🔴 #Malwareattack

A new cybersecurity threat is targeting users of both Android and iOS devices. According to a Kaspersky report, a malicious software development kit (SDK) has been spotted embedded in several apps available on Google Play and the Apple App Store. This SDK, dubbed SparkCat, is designed to steal cryptocurrency wallet recovery phrases using optical character recognition (OCR) technology. The campaign has already affected hundreds of thousands of users, with over 242,000 downloads recorded on the Google Play Store alone.
The malicious SDK operates differently on Android and iOS devices. On Android, it uses a Java component called Spark, which serves as an analytics module. This component retrieves encrypted configuration files from GitLab, which contain commands and updates for the malware. On iOS, the framework goes by various names, such as Gzip, googleappsdk, or stat, and uses a Rust-based networking module called im_net_sys to communicate with C2 servers.
The primary function of this malware is to scan images on a user’s device for cryptocurrency wallet recovery phrases. These phrases, often stored as screenshots or photos, are used to restore access to cryptocurrency wallets. The malware uses Google ML Kit OCR to extract text from images, targeting specific keywords in multiple languages, including Latin, Korean, Chinese, and Japanese. Once it identifies a recovery phrase, the stolen data is sent to the attackers’ servers, allowing them to access the victim’s cryptocurrency funds without needing a password.

Kaspersky’s investigation revealed that the malware is region-specific, with different keywords and targeting strategies for areas like Europe and Asia. However, the researchers caution that the apps could still function outside their intended regions, posing a risk to a broader audience.
So far, 18 Android apps and 10 iOS apps have been identified as infected. You can find the list of affected apps in Kaspersky's report here. One notable example is the Android app — ChatAi — which had been downloaded more than 50,000 times before being removed from the Google Play Store. However, many of the other infected apps remain available on both platforms, which is still a matter of concern.
If you suspect you’ve installed any of the malware-infected apps, you must uninstall them immediately. According to experts, it is also recommended to install a reputable mobile antivirus tool to scan your device for any lingering traces of the malware. In severe cases, a factory reset may be necessary to ensure complete removal. Self-hosted, offline password managers with vault features can also provide an additional layer of security.

$BTC

🛃 Cybersecurity researchers at Threat Fabric have discovered a new family of mobile malware that can trick Android users into revealing their cryptocurrency wallet seed phrases.
📃 According to a report from March 28, the Crocodilus malware uses fake screens on top of legitimate apps and displays a warning about the need to back up your crypto wallet key within a certain period of time.
🗣️ “After the victim enters the app password, a message appears on the screen: ‘Back up your wallet key in Settings within 12 hours. Otherwise, the app will be reset and you may lose access to your wallet,’” Threat Fabric explains.
🧙This social engineering trick directs the user to the seed phrase section, which allows Crocodilus to collect this information via Android’s accessibility logger. Once the attackers obtain the seed phrase, they gain full control over the wallet and can “empty it completely.”
🐊 Crocodilus is a new malware that, according to experts, has all the features of modern hacking software, including attacks using screen overlays, advanced data collection through screen capture with sensitive information (such as passwords), and remote access to gain control over the infected device.
⚙️ The initial infection occurs when the malware is unintentionally downloaded as part of other software that bypasses Android 13 protection and other security mechanisms.
🛡️Once installed 🐊 Crocodilus requests that the accessibility service be enabled, which allows the hackers to access the device.
“Once these rights are granted, the malware connects to the command and control (C2) server to receive instructions, including a list of target applications and screen overlays,” Threat Fabric notes.
🔐 The malware runs continuously, monitoring application launches and displaying overlays to intercept credentials. When the targeted banking or cryptocurrency app is opened, a fake screen is launched on top of it, and the hackers take control of the device.
“With stolen personal data and credentials, attackers can take full control of the victim’s device using built-in remote access and secretly make fraudulent transactions,” the experts warn.
#Malwareattack #SAFU🙏 #SecurityAlert #Crocodilus #Alert🔴