New SparkCat Variant Hijacks iOS & Android Apps to Steal Crypto Wallet Recovery Phrase Images
What Happened — Researchers identified a refreshed SparkCat trojan distributed through legitimate‑looking apps on the Apple App Store and Google Play Store. The malware silently captures screenshots of cryptocurrency wallet recovery phrases and exfiltrates them to command‑and‑control servers.
Why It Matters for TPRM —
- Mobile app supply‑chain attacks can compromise end‑user credentials and crypto assets, exposing third‑party risk for organizations that endorse or integrate such apps.
- The stealthy image‑capture technique bypasses traditional code‑signing checks, highlighting gaps in app vetting processes.
- Crypto‑related data breaches can trigger regulatory scrutiny and financial loss for partners handling digital assets.
Who Is Affected — FinTech firms, cryptocurrency exchanges, digital wallet providers, enterprises that allow BYOD or endorse mobile productivity apps, and end‑users holding crypto assets.
Recommended Actions —
- Conduct a rapid inventory of all mobile applications authorized for corporate use; remove any unvetted apps.
- Enforce strict mobile app vetting, including static/dynamic analysis and reputation checks in app stores.
- Deploy mobile threat defense solutions capable of detecting unauthorized screen‑capture behavior.
- Educate users on the risks of entering recovery phrases on mobile devices and promote hardware‑based wallet storage.
Technical Notes — The variant embeds malicious code that triggers a screenshot routine when a wallet app is opened, then uploads the image via HTTPS to a hard‑coded C2 domain. No known CVE is involved; the attack leverages legitimate app distribution channels. Source: The Hacker News