SPARKCAT programs use light recognition on letters to extract phrases recovery from the photos

A new campaign of harmful programs called Sparkcat benefited from a suit of Apple applications on both Apple and Google App stores to steal the phrases of the dhfott victims associated with the coded currency portfolios.

The attacks benefit from the optical letter recognition form (OCR) to choose to identify images that contain wallet recovery phrases from photo libraries to the driving and control server (C2), Kaspersky Dmitry Kalinin and Sergey Puzan He said In technical report.

The Monker is a reference to the SDK software development group that uses the Java component called Spark, which denies as an analytical unit. It is not currently known whether the infection is the result of an attack in the supply chain or whether the developers have been deliberately presented.

While this no the The first time Android software has been discovered with OCR capabilities in the wilderness, which is one of the first cases in which such theft was found in the Apple App Store. It is said that the affected applications in Google Play have been downloaded over 242,000 times.

The campaign has been evaluated as active since March 2024, with the distribution of applications through official and informal application stores. AI applications disguise (AI), food delivery, Web3 applications, although some seem to provide legitimate functions.

“The Android malware unit will decode and operate an additional OCR component made of Google’s ML set libraryAnd I used this to get to know the text that was found in the pictures inside the exhibition, “Kaspersky said.” The photos that match the keywords received from C2 to the server were sent. “

In a similar context, the iOS version of Sparkcat depends on the Google Group Group of OCR to steal images that contain the phrases of Zakri. One of the noticeable aspects of the harmful programs is to use a rust -based connection mechanism for C2, and it is rarely observed in mobile applications.

More analysis indicates the main words used and the regions in which these applications have been provided that the campaign is mainly targeting users in Europe and Asia. It was evaluated that harmful activity is the work of the actor of the threat that is fluent in the Chinese language.

The researchers said: “What makes this Trojan especially dangerous is that there is no indication of hidden malignant transplantation inside the application,” the researchers said. “The permissions you require may seem necessary for their basic functions or appear harmless at first glance.”

This disclosure comes at a time when Zimperium Zlabs has detailed a campaign for harmful programs for mobile phones targeting Indian Android owners by distributing harmful APK files via WhatsApp under the guise of banking applications and government applications, allowing applications to harvest sensitive and financial information.

The Cyber ​​Security Company said that it has identified more than 1000 false applications linked to the campaign, as attackers benefit from about 1,000 solid phone numbers as a nomination for SMS and one -time passwords (OTPS).

“Contrary to traditional banking horses that depend only on driving and control servers (C&C) to steal one -time password (OTP), this malware campaign is to enhance live phone numbers to redirect short messages messages that follow the actors threatening this campaign,” Security researcher, Yasouant, a member He said.

The attack campaign, called FATBOYPANEL, is said to have collected 2.5 GB of sensitive data so far, which are all hosted on the end -to -end Firebase’s end points for anyone SANS Approval.

This includes SMS messages from Indian banks, bank details, credit and deduction card information, and identity details issued by the government that belongs to about 50,000 users, the majority of whom are located in the Indian states in West Bengal, Bayhar, Jaharnd, Carnataka, and materially Pradesh.

These incidents tell a warning story of the importance of software applications correctly, including checking the reviews and verifying the health of the developers, before downloading, even if they are uploaded to the facades of official applications.

Evolution also follows the emergence 24 new families of harmful programs Targeting Apple MacOS systems in 2024, Even from 21 years 2023According to security researcher Patrick Wardel.

This coincides with an increase in information theft attacks, such as those that involve Poseidonfor atomicAnd CthulhuSpecifying specifically to users of the desktop operating system.

“Infostealers benefit from MacOS often exploits the original Applescript Working framework, “Palo Alto 42 networks, researchers Tom Fakterman, Chen Erlich and Tom Sharon He said In a report published this week.

“This framework provides wide access to the operating system, as it simplifies implementation with the construction of its natural language. Since these claims can appear to appear as the legitimate system claims, threatening representatives use this framework to deceive the victims via social engineering.”