CAUTION – All these applications are dangerous. Here’s what you need to know and do.
An alarming new warning for iPhone and Android users has just hit users, with a cybersecurity company warning that Google Google and Apple Apps have been infected with “malicious code Which allows attackers to empty cryptographic wallets.
It is also another case of artisanal SDK corrupting authentic applications, criticizing user devices. And it works. Kaspersky Said that while “infected applications have been downloaded more than 242,000 times from Google Play. This is the first known case of a stylus that enters the App Store. I approached Google and Apple for any response to the new report and confirmation that infected applications have been corrected.
The malicious code works using OCR to scan the image gallery of a device for potential words and sentences in several languages that could be secret codes to access or collect wallets on the device. This, says Kaspersky, is a game on the type of attack reported by ESET in 2023, where dozens of telegrams and WhatsApp copycates have deployed mowers to steal the contents of clipboard to access the wallets. But ESET also discovered some of the copycat applications “Use of optical character recognition (OCR) to recognize the text from screenshots stored on compromise devices, which is another first for Android Malware.” It is an evolution of this threat and it is now much worse.
Kaspersky says that he “managed to establish the motivation of the attackers – the attackers fly sentences to restore access to cryptographic portfolios, who are sufficient to take total control of the victim’s portfolio for more funds”. The researchers found the new attack at the end of 2024, but part of the code was deployed much earlier.
One of the infected applications
“The malware we called Sparkcat used an unidentified protocol implemented in rust language, which is rare for mobile applications, to interact with C2. According to the horodatages of malicious files and the creation of configuration files in the standards on Gitlab, Sparkcat has been active since March 2024. ”
The threat is international, with “the very first application that seemed suspicious was a food delivery application to water and Indonesia called Comecome (name of the package – com.bintiger.mall.android)”, and we can ‘Waiting for it to propagate itself to spread quickly. Malware can load “different OCR models depending on the language language to distinguish Latin, Korean, Chinese and Japanese characters on images”.
Although this seems to have infected more Android than iPhone applications, Kaspersky says that “the App Store has iOS applications infected with a malicious frame with the same Troy. For example, the Comecome food delivery application for iOS has been infected, as is its Android version. This is the first known case of OCR spy in the official Apple Store. »»
The infected applications are in the Kaspersky report, and all will probably be corrected now that these results have been published. The names of the packages are below – this is worth an analysis to see if you recognize one of the names that could be installed on your phone.
“Google play infected android applications package names
com.crownplay.vanity.address
com.atvnewsonline.app
com.bintiger.mall.android
com.websea.exchange
org.sfew.messenger
org.sfew.messenger.store
com.tonghui.paybank
com.bs.feifubao
com.Sapp.Chatai
com.Sapp.Starcoin
Encrypted bundleids in the body of iOS frames
IM.POP.App.ios.Messenger
com.hkatv.ios
com.atvnewsonline.app
io.zorixchange
com.yykc.vpnjsq
com.llyry.au
com.star.har91vnlive
com.jhgj.jinhulalaab
com.qingwa.qingwa888lalaaa
com.Blockchain.uttool
com.wukongwaimai.client
com.UNICORNSOFT.UNICORNHTTPSFORIOS
stands.mil.coinpark
com.lc.btdj
com.baijia.waimai
com.ctc.jirepaidui
com.a.gbet
app.nicegram
com.Blockchain.ogiut
com.Blockchain. 98UT
com.dream.towncn
com.mjb.hardwood.test
com.Galaxy666888.ios
njiujiu.vpntet
com.qqt.jykj
com.a.sport
com.feidu.pay
app.ikun277.test
com.usdtone.usdtoneapp2
com.cgapp2.wallet0
com.bbydqb
com.yz.byteswap.native
jiujiu.vpntet
com.wetink.Chat
com.websea.exchange
com.customalize.authenticator
Im.Token.app
com.mjb.worldmin.new
com.kh-super.ios.superapp
com.thedgptai.event
com.yz.etternal.new
xyz.starohm.Chat
com.crownplay.luckyaddress1 ”
If you have one of the applications, delete them and reinstall them when updated-certainly do not use them. “The Troy is particularly dangerous because nothing gives a malicious implant inside the application,” explains Kaspersky. “The authorizations requested by it can be used in the main functionality of the application or seem to be apparently harmless, and the malware works quite secretly.”
Kaspersky’s other advice will be alarm clock for many. “Do not store screenshots with sensitive information in the gallery, including sentences to restore access to cryptocurrency wallets.” Instead, it is said: “Passwords, confidential documents and other sensitive data can be stored in special applications.”
Common Sense, but I am sure that most of us have compromised words and sentences in our image galleries that we have recorded as a quick recall. Something to think now.
