Kaspersky Finds New Variant of SparkCat Trojan on App Store and Google Play

Illustration - App store (Photo: Unsplash)

JAKARTA - Kaspersky Threat Research has discovered a new variant of the SparkCat Trojan on the App Store and Google Play, a year after the malware was first discovered and removed from both platforms.

Kaspersky experts found two legitimate apps infected in the App Store and one in Google Play, namely messaging apps designed for corporate communication and food delivery apps.

However, Kaspersky telemetry shows that the SparkCat-infected apps are also distributed via third-party sources. Some of these web pages mimic the App Store if opened from an iPhone.

Seen using Japanese, Korean, and Chinese languages, the latest version of SparkCat on this Android device works by scanning the image gallery on the infiltrated device for screenshots containing keywords believed to target users' crypto assets in Asia.

"It analyzes the text in the stored image using an optical character recognition module. If the attacker finds a relevant keyword, he sends the image to the attacker," said Kaspersky cybersecurity expert Dmitry Kalinin.

In addition, the updated SparkCat for Android also has several layers of obfuscation compared to the previous version, including code virtualization and the use of cross-platform programming languages, techniques that are rarely found in mobile malware.

However, the iOS variant takes a different approach by scanning the mnemonic phrase of the crypto asset wallet, which is in English.

This makes the iOS variant potentially have a wider reach.

"Given the similarities between the current and previous samples, we believe that the developer of this new malware version is the same person. This campaign once again underlines the importance of using security solutions for smartphones to stay protected from various cyber threats," concluded Dmitry.

Kaspersky admitted that he had reported the known malicious applications to Google and Apple.