{ "Event": { "analysis": "2", "date": "2025-02-08", "extends_uuid": "", "info": "Take my money: OCR crypto stealers in Google Play and App Store", "publish_timestamp": "1739033803", "published": true, "threat_level_id": "3", "timestamp": "1739033062", "uuid": "e365463e-b2b1-4e20-a9cb-c4698edf5c03", "Orgc": { "name": "CUDESO", "uuid": "56c42374-fdb8-4544-a218-41ffc0a8ab16" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1739032180", "to_ids": false, "type": "link", "uuid": "faa9f278-63bd-4361-bfb6-d43b625c7030", "value": "https://securelist.com/sparkcat-stealer-in-app-store-and-google-play/115385/" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "70fc779b-69a9-418a-808d-420f2c23b9b1", "value": "im.pop.app.iOS.Messenger" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "7c9a8fbb-4ea8-44f5-be44-11ddb678733a", "value": "com.hkatv.ios" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "bb475d83-156f-4940-a6f7-88a2a7fcc93b", "value": "com.atvnewsonline.app" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "8493323b-f565-4248-a044-4a0356030eab", "value": "io.zorixchange" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "6fab01da-7526-4b4f-a6f7-16eed3bd62bb", "value": "com.yykc.vpnjsq" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "c73cf3b5-394b-4edc-85f0-48c24c7fdecd", "value": "com.llyy.au" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "72667ef6-879d-4ef0-8780-1bc7365d6c6b", "value": "com.star.har91vnlive" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "7ebcf0ee-45d1-436b-a1d9-0891579aea5d", "value": "com.jhgj.jinhulalaab" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "fa5a430d-dabd-46c8-94f9-5194b93218a7", "value": "com.qingwa.qingwa888lalaaa" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "468a9486-0f4c-4884-8a57-38993f39f56a", "value": "com.blockchain.uttool" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "bd982cb3-628e-4253-bc2f-2128662cb625", "value": "com.wukongwaimai.client" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "b1dbdc8e-c317-4ca5-86b9-230206533aec", "value": "com.unicornsoft.unicornhttpsforios" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "9d077245-f6fb-4aa8-bd0a-9e1da18cf1c9", "value": "staffs.mil.CoinPark" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "0837bfed-95a1-4d9a-9a5f-f403795f7a2c", "value": "com.lc.btdj" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "a329fb88-0005-4d8c-a745-76fe3d6e6e11", "value": "com.baijia.waimai" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "7499976a-f492-4268-95d2-94c93a6d3cac", "value": "com.ctc.jirepaidui" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "897970ad-07a3-4558-b17c-c359b969ed2d", "value": "com.ai.gbet" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "b94a7207-ce4a-42ff-9f3e-d4a6cdb47ac4", "value": "app.nicegram" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "28944199-e568-46b7-a142-4364260b7892", "value": "com.blockchain.ogiut" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "12ff1726-dbbd-487f-86c1-29c80284baf4", "value": "com.blockchain.98ut" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "41c4b5e3-ae5c-463e-9b88-d8e9b33da6e8", "value": "com.dream.towncn" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "a65be64c-69a8-4237-aeeb-09eaf5c41188", "value": "com.mjb.Hardwood.Test" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "8db44d50-b9c5-44b7-8229-ab37c46afd13", "value": "com.galaxy666888.ios" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "ce85886f-97f8-400d-b24d-aa1029f18382", "value": "njiujiu.vpntest" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "43dfc8dd-8be1-4663-8637-bfeef97c5a9b", "value": "com.qqt.jykj" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "5c26f376-4fc3-41e7-add0-23af8c32fd16", "value": "com.ai.sport" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "f2a31d66-3ef3-4368-988c-b534108eb47e", "value": "com.feidu.pay" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "75acec96-3a7f-4772-aade-cf3343439366", "value": "app.ikun277.test" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "2c39a87f-e85c-40aa-ab96-54d9ba52ccc6", "value": "com.usdtone.usdtoneApp2" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "9aaf8204-0732-4119-9f41-3686f0fbf3ec", "value": "com.cgapp2.wallet0" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "d22c7958-1a49-4811-8595-94cea587c462", "value": "com.bbydqb" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "0806f7fa-9ef1-4c1e-aed8-8541485d0e27", "value": "com.yz.Byteswap.native" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "5d3b85fd-9794-4406-958d-b52fd89e2c0f", "value": "jiujiu.vpntest" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "857957fe-cf00-454b-ae3e-7e17e4e48a7d", "value": "com.wetink.chat" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "d5bbefc6-eb47-48ce-bac2-419897acf6bb", "value": "com.websea.exchange" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "3298bd7f-9386-49a9-9f12-20371a5b8c4d", "value": "com.customize.authenticator" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "446fb480-d469-42cc-86bf-8dfa000fb5a4", "value": "im.token.app" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "76943671-cdf4-43b5-9e4f-b145364224ca", "value": "com.mjb.WorldMiner.new" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "c345898d-65db-445c-9293-aa0a7881ba6a", "value": "com.kh-super.ios.superapp" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "6db0cbdc-a8c5-4c37-bb29-c53e80c35ac8", "value": "com.thedgptai.event" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "68fbc512-d1a9-4d5a-adca-3c8a80dc3300", "value": "com.yz.Eternal.new" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "eaae4169-3e06-4457-bda8-7a2930c21719", "value": "xyz.starohm.chat" }, { "category": "Other", "comment": "BundleIDs encrypted inside the iOS frameworks", "deleted": false, "disable_correlation": false, "timestamp": "1739032943", "to_ids": false, "type": "text", "uuid": "306e8df2-4c86-4a28-9c97-37897683fc88", "value": "com.crownplay.luckyaddress1" }, { "category": "Other", "comment": "Names of Infected Android APKs from Google Play", "deleted": false, "disable_correlation": false, "timestamp": "1739032964", "to_ids": false, "type": "text", "uuid": "e6e2d81b-4b22-4e96-8e26-f78c5460c850", "value": "com.crownplay.vanity.address" }, { "category": "Other", "comment": "Names of Infected Android APKs from Google Play", "deleted": false, "disable_correlation": false, "timestamp": "1739032964", "to_ids": false, "type": "text", "uuid": "03d56bfd-6e7e-47ca-a381-d5e987517692", "value": "com.bintiger.mall.android" }, { "category": "Other", "comment": "Names of Infected Android APKs from Google Play", "deleted": false, "disable_correlation": false, "timestamp": "1739032964", "to_ids": false, "type": "text", "uuid": "3ecd5311-232c-4401-a831-3019c52910f5", "value": "org.safew.messenger" }, { "category": "Other", "comment": "Names of Infected Android APKs from Google Play", "deleted": false, "disable_correlation": false, "timestamp": "1739032964", "to_ids": false, "type": "text", "uuid": "a80384bc-24a3-4fb2-a34e-5a49eaacae3d", "value": "org.safew.messenger.store" }, { "category": "Other", "comment": "Names of Infected Android APKs from Google Play", "deleted": false, "disable_correlation": false, "timestamp": "1739032964", "to_ids": false, "type": "text", "uuid": "177e037c-11f0-4fbe-81a3-9340128c3cb3", "value": "com.tonghui.paybank" }, { "category": "Other", "comment": "Names of Infected Android APKs from Google Play", "deleted": false, "disable_correlation": false, "timestamp": "1739032964", "to_ids": false, "type": "text", "uuid": "06c74f42-96fa-4b20-afea-cc820554e9ee", "value": "com.bs.feifubao" }, { "category": "Other", "comment": "Names of Infected Android APKs from Google Play", "deleted": false, "disable_correlation": false, "timestamp": "1739032964", "to_ids": false, "type": "text", "uuid": "a2c5256d-33f8-4cf6-b28b-5dad7a520bd1", "value": "com.sapp.chatai" }, { "category": "Other", "comment": "Names of Infected Android APKs from Google Play", "deleted": false, "disable_correlation": false, "timestamp": "1739032964", "to_ids": false, "type": "text", "uuid": "0e572ec0-5842-46f6-9ff7-8bb32c1f1a89", "value": "com.sapp.starcoin" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1739032984", "to_ids": true, "type": "url", "uuid": "9b4c80e3-5058-43d9-b196-a59467c3338b", "value": "https://dmbucket102.s3.ap-northeast-1.amazonaws.com" }, { "category": "Network activity", "comment": "c2", "deleted": false, "disable_correlation": false, "timestamp": "1739033000", "to_ids": true, "type": "hostname", "uuid": "da0ad45e-eff0-46ba-be97-a445b99d1055", "value": "api.firebaseo.com" }, { "category": "Network activity", "comment": "c2", "deleted": false, "disable_correlation": false, "timestamp": "1739033000", "to_ids": true, "type": "hostname", "uuid": "80936fce-40ee-4d37-b5a6-0a78aa063470", "value": "api.aliyung.com" }, { "category": "Network activity", "comment": "c2", "deleted": false, "disable_correlation": false, "timestamp": "1739033000", "to_ids": true, "type": "hostname", "uuid": "ab2f3e2c-36a3-4d93-ab31-9ec1be392b5e", "value": "api.aliyung.org" }, { "category": "Network activity", "comment": "c2", "deleted": false, "disable_correlation": false, "timestamp": "1739033000", "to_ids": true, "type": "hostname", "uuid": "61547631-d6e7-443e-8128-60a91d1a82eb", "value": "uploads.99ai.world" }, { "category": "Network activity", "comment": "c2", "deleted": false, "disable_correlation": false, "timestamp": "1739033000", "to_ids": true, "type": "hostname", "uuid": "a166e949-8177-4467-929b-2f261e6b5413", "value": "socket.99ai.world" }, { "category": "Network activity", "comment": "c2", "deleted": false, "disable_correlation": false, "timestamp": "1739033000", "to_ids": true, "type": "hostname", "uuid": "76e07a24-5750-44cd-8724-b9b535c99bce", "value": "api.googleapps.top" }, { "category": "Network activity", "comment": "Trojan configuration", "deleted": false, "disable_correlation": false, "timestamp": "1739033021", "to_ids": true, "type": "url", "uuid": "93848b58-f60d-470b-8b3f-663e343910b7", "value": "https://gitlab.com/group6815923/ai/-/raw/main/rel.json" }, { "category": "Network activity", "comment": "Trojan configuration", "deleted": false, "disable_correlation": false, "timestamp": "1739033021", "to_ids": true, "type": "url", "uuid": "892e8fee-e23c-45e5-b699-894a4215a303", "value": "https://gitlab.com/group6815923/kz/-/raw/main/rel.json" }, { "category": "Payload delivery", "comment": "iOS framework MD5s", "deleted": false, "disable_correlation": false, "timestamp": "1739033039", "to_ids": true, "type": "md5", "uuid": "1d4de87b-093d-4910-960b-6df0871ed4ce", "value": "35fce37ae2b84a69ceb7bbd51163ca8a" }, { "category": "Payload delivery", "comment": "iOS framework MD5s", "deleted": false, "disable_correlation": false, "timestamp": "1739033039", "to_ids": true, "type": "md5", "uuid": "ac8e0514-d3b4-4eb6-b01f-7ffbc4f57b56", "value": "cd6b80de848893722fa11133cbacd052" }, { "category": "Payload delivery", "comment": "iOS framework MD5s", "deleted": false, "disable_correlation": false, "timestamp": "1739033039", "to_ids": true, "type": "md5", "uuid": "1160787e-ef49-4a1d-adbf-a5d4fb513c2d", "value": "6a9c0474cc5e0b8a9b1e3baed5a26893" }, { "category": "Payload delivery", "comment": "iOS framework MD5s", "deleted": false, "disable_correlation": false, "timestamp": "1739033039", "to_ids": true, "type": "md5", "uuid": "8d546dd9-a117-4eb7-b42c-3e5e14765cda", "value": "bbcbf5f3119648466c1300c3c51a1c77" }, { "category": "Payload delivery", "comment": "iOS framework MD5s", "deleted": false, "disable_correlation": false, "timestamp": "1739033040", "to_ids": true, "type": "md5", "uuid": "dc21655c-91c6-4483-b4da-9bdf73129ffc", "value": "fe175909ac6f3c1cce3bc8161808d8b7" }, { "category": "Payload delivery", "comment": "iOS framework MD5s", "deleted": false, "disable_correlation": false, "timestamp": "1739033040", "to_ids": true, "type": "md5", "uuid": "f97d6766-9b6a-4cc1-8800-b5c9e9a257d0", "value": "31ebf99e55617a6ca5ab8e77dfd75456" }, { "category": "Payload delivery", "comment": "iOS framework MD5s", "deleted": false, "disable_correlation": false, "timestamp": "1739033040", "to_ids": true, "type": "md5", "uuid": "562f39bc-06cf-43ed-9dcf-185ca8802de7", "value": "02646d3192e3826dd3a71be43d8d2a9e" }, { "category": "Payload delivery", "comment": "iOS framework MD5s", "deleted": false, "disable_correlation": false, "timestamp": "1739033040", "to_ids": true, "type": "md5", "uuid": "b662cdfa-423d-4d57-ab8d-101ed54e5d52", "value": "1e14de6de709e4bf0e954100f8b4796b" }, { "category": "Payload delivery", "comment": "iOS framework MD5s", "deleted": false, "disable_correlation": false, "timestamp": "1739033040", "to_ids": true, "type": "md5", "uuid": "c29b27d8-14c2-47df-ad19-ed81af37c680", "value": "54ac7ae8ace37904dcd61f74a7ff0d42" }, { "category": "Payload delivery", "comment": "iOS framework MD5s", "deleted": false, "disable_correlation": false, "timestamp": "1739033040", "to_ids": true, "type": "md5", "uuid": "d87abd45-7a7c-4ae1-9d63-f1d3a0f34cd9", "value": "caf92da1d0ff6f8251991d38a840fb4a" }, { "category": "Payload delivery", "comment": "iOS framework MD5s", "deleted": false, "disable_correlation": false, "timestamp": "1739033040", "to_ids": true, "type": "md5", "uuid": "1763452f-7aff-4c52-a894-40723ed48ba0", "value": "db128221836b9c0175a249c7f567f620" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "1ebe7f3c-ab4b-4c3f-8e55-413315b4e13a", "value": "0ff6a5a204c60ae5e2c919ac39898d4f" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "a777749c-ddb4-4d6b-a07b-3f5793f5c84f", "value": "21bf5e05e53c0904b577b9d00588e0e7" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "76c60ac3-da1c-4e9a-96ea-d76b431bf588", "value": "a4a6d233c677deb862d284e1453eeafb" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "2a83a9a3-5b0f-4c1f-a727-065c92b34cc9", "value": "66b819e02776cb0b0f668d8f4f9a71fd" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "76151300-785c-40ea-a529-194e536a6117", "value": "f28f4fd4a72f7aab8430f8bc91e8acba" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "ef4dcae9-e100-4b1f-b27c-d322fd791f55", "value": "51cb671292eeea2cb2a9cc35f2913aa3" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "96ac6f5a-b3a5-4c19-9669-dfe4a35573aa", "value": "00ed27c35b2c53d853fafe71e63339ed" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "e2d1f96d-f1c7-4297-89cd-b71e38cb63f1", "value": "7ac98ca66ed2f131049a41f4447702cd" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "7bf523a6-87be-4d19-b4bd-3ecf16bbe6c3", "value": "6a49749e64eb735be32544eab5a6452d" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "d732c3dd-059e-4d6f-a828-cfa5d70734f7", "value": "10c9dcabf0a7ed8b8404cd6b56012ae4" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "6818fc3b-8dc2-4c57-9c07-1b0abfed628f", "value": "24db4778e905f12f011d13c7fb6cebde" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "850aa5c9-b67c-447a-a450-0dd29c98c72d", "value": "4ee16c54b6c4299a5dfbc8cf91913ea3" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "de34574e-e1ab-4da6-8813-2fdf1fcbe1d4", "value": "a8cd933b1cb4a6cae3f486303b8ab20a" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "a0a7d537-7dda-44f7-9248-a56f0403a403", "value": "ee714946a8af117338b08550febcd0a9" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "3f7e2538-0368-443f-b3ee-fb3a722345d4", "value": "0b4ae281936676451407959ec1745d93" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "3c531de1-e481-41f1-b53b-935c691cedcf", "value": "f99252b23f42b9b054b7233930532fcd" }, { "category": "Payload delivery", "comment": "Infected Android apps", "deleted": false, "disable_correlation": false, "timestamp": "1739033062", "to_ids": true, "type": "md5", "uuid": "00e4bb84-609e-4d55-9091-a2ee52ea089f", "value": "eea5800f12dd841b73e92d15e48b2b71" } ], "EventReport": [ { "uuid": "2fc9bb1d-b806-4421-b9af-0db953a62b1e", "name": "Report from - https://securelist.com/sparkcat-stealer-in-app-store-and-google-play/115385/ (1739032186)", "content": "*Update 07.02.2025: Google removed malicious apps from Google Play.* \r\n*Update 06.02.2025: Apple removed malicious apps from the App Store.*\r\n\r\n In March 2023, researchers at ESET discovered malware implants embedded into various messaging app mods. Some of these scanned users\u2019 image galleries in search of crypto wallet access recovery phrases. The search employed an OCR model which selected images on the victim\u2019s device to exfiltrate and send to the C2 server. The campaign, which targeted Android and Windows users, saw the malware spread through unofficial sources. In late 2024, we discovered a new malware campaign we dubbed \u201cSparkCat\u201d, whose operators used similar tactics while attacking Android and iOS users through both official and unofficial app stores. Our conclusions in a nutshell:\r\n\r\n \r\n * We found Android and iOS apps, some available in Google Play and the App Store, which were embedded with a malicious SDK/framework for stealing recovery phrases for crypto wallets. The infected apps in Google Play had been downloaded more than 242,000 times. This was the first time a stealer had been found in Apple\u2019s App Store.\r\n * The Android malware module would decrypt and launch an OCR plug-in built with Google\u2019s ML Kit library, and use that to recognize text it found in images inside the gallery. Images that matched keywords received from the C2 were sent to the server. The iOS-specific malicious module had a similar design and also relied on Google\u2019s ML Kit library for OCR.\r\n * The malware, which we dubbed \u201cSparkCat\u201d, used an unidentified protocol implemented in Rust, a language untypical of mobile apps, to communicate with the C2.\r\n * Judging by timestamps in malware files and creation dates of configuration files in GitLab repositories, SparkCat has been active since March 2024.\r\n \r\n ## A malware SDK in Google Play apps\r\n\r\n The first app to arouse our suspicion was a food delivery app in the UAE and Indonesia, named \u201cComeCome\u201d (APK name: com.bintiger.mall.android), which was available in Google Play at the time of the research, with more than 10,000 downloads.\r\n\r\n The onCreate method in the Application subclass, which is one of the app\u2019s entry points, was overridden in version 2.0.0 (f99252b23f42b9b054b7233930532fcd). This method initializes an SDK component named \u201cSpark\u201d. It was originally obfuscated, so we statically deobfuscated it before analyzing.\r\n\r\n Suspicious SDK being called\r\n\r\n Spark is written in Java. When initialized, it downloads a JSON configuration file from a GitLab URL embedded in the malware body. The JSON is decoded with base64 and then decrypted with AES-128 in CBC mode.\r\n\r\n The config from GitLab being decrypted\r\n\r\n If the SDK fails to retrieve a configuration, the default settings are used.\r\n\r\n We managed to download the following config from GitLab:\r\n\r\n { \"http\": [\"https://api.aliyung.org\"], \"rust\": [\"api.aliyung.com:18883\"], \"tfm\": 1 } 12345 { \"http\": [\"https://api.aliyung.org\"], \"rust\": [\"api.aliyung.com:18883\"], \"tfm\": 1} The \u201chttp\u201d and \u201crust\u201d fields contain SDK-specific C2 addresses, and the tfm flag is used to select a C2. With tfm equal to 1, \u201crust\u201d will be used as the C2, and \u201chttp\u201d if tfm has any other value.\r\n\r\n Spark uses POST requests to communicate with the \u201chttp\u201d server. It encrypts data with AES-256 in CBC mode before sending and decrypts server responses with AES-128 in CBC mode. In both cases, the keys are hard-coded constants.\r\n\r\n The process of sending data to \u201crust\u201d consists of three stages:\r\n\r\n \r\n * Data is encrypted with AES-256 in CBC mode using the same key as in the case of the \u201chttp\u201d server.\r\n * The malware generates a JSON, where is the data upload path and is the encrypted data from the previous stage. \r\n { \"path\": \"upload@\", \"method\": \"POST\", \"contentType\": \"application/json\", \"data\": \"\" } 123456 { \"path\": \"upload@\", \"method\": \"POST\", \"contentType\": \"application/json\", \"data\": \"\"} \r\n * The JSON is sent to the server with the help of the native libmodsvmp.so library via the unidentified protocol over TCP sockets. Written in Rust, the library disguises itself as a popular Android obfuscator.\r\n \r\n Static analysis of the library wasn\u2019t easy, as Rust uses a non-standard calling convention and the file had no function names in it. We managed to reconstruct the interaction pattern after running a dynamic analysis with Frida. Before sending data to the server, the library generates a 32-byte key for the AES-GCM-SIV cipher. With this key, it encrypts the data, pre-compressed with ZSTD. The algorithm\u2019s nonce value is not generated and set to \u201cunique nonce\u201d (sic) in the code.\r\n\r\n Extending the AES key using the hard-coded nonce value\r\n\r\n The AES key is encrypted with RSA and is then also sent to the server. The public key for this RSA encryption is passed when calling a native method from the malicious SDK, in PEM format. The message is padded with 224 random bytes prior to AES key encryption. Upon receiving the request, the attackers\u2019 server decrypts the AES key with a private RSA key, decodes the data it received, and then compresses the response with ZSTD and encrypts it with the AES-GCM-SIV algorithm. After being decrypted in the native library, the server response is passed to the SDK where it undergoes base64 decoding and decryption according to the same principle used for communication with the \u201chttp\u201d server. See below for an example of communication between the malware module and the \u201crust\u201d server.\r\n\r\n An example of communication with the \u201crust\u201d server\r\n\r\n Once a configuration has been downloaded, Spark decrypts a payload from assets and executes it in a separate thread. It uses XOR with a 16-byte key for a cipher.\r\n\r\n A payload being decrypted\r\n\r\n The payload (c84784a5a0ee6fedc2abe1545f933655) is a wrapper for the TextRecognizer interface in Google\u2019s ML Kit library. It loads different OCR models depending on the system language to recognize Latin, Korean, Chinese or Japanese characters in images. The SDK then uploads device information to /api/e/d/u on the C2 server. The server responds with an object that controls further malware activities. The object is a JSON file, its structure shown below. The uploadSwitch flag allows the malware to keep running (value 1).\r\n\r\n { \"code\": 0, \"message\": \"success\", \"data\": { \"uploadSwitch\": 1, \"pw\": 0, \"rs\": \"\" } } 123456789 { \"code\": 0, \"message\": \"success\", \"data\": { \"uploadSwitch\": 1, \"pw\": 0, \"rs\": \"\" }} The SDK then registers an application activity lifecycle callback. Whenever the user initiates a chat with the support team, implemented with the legitimate third-party Easemob HelpDesk SDK, the handler requests access to the device\u2019s image gallery. If the pw flag in the aforementioned object is equal to 1, the module will keep requesting access if denied. The reasoning behind the SDK\u2019s request seems sound at first: users may attach images when contacting support.\r\n\r\n The reason given when requesting read access to the gallery\r\n\r\n If access is granted, the SDK runs its main functionality. This starts with sending a request to /api/e/config/rekognition on the C2 and getting parameters for processing OCR results in a response.\r\n\r\n { \"code\": 0, \"message\": \"success\", \"data\": { \"letterMax\": 34, \"letterMin\": 2, \"enable\": 1, \"wordlistMatchMin\": 9, \"interval\": 100, \"lang\": 1, \"wordMin\": 12, \"wordMax\": 34 } } 1234567891011121314 { \"code\": 0, \"message\": \"success\", \"data\": { \"letterMax\": 34, \"letterMin\": 2, \"enable\": 1, \"wordlistMatchMin\": 9, \"interval\": 100, \"lang\": 1, \"wordMin\": 12, \"wordMax\": 34 }} These parameters are used by processor classes that filter images by OCR-recognized words. The malware also requests a list of keywords at /api/e/config/keyword for KeywordsProcessor, which uses these to select images to upload to the C2 server.\r\n\r\n Searching for keywords among OCR image processing results\r\n\r\n Besides KeywordsProcessor, the malware contains two further processors: DictProcessor and WordNumProcessor. The former filters images using localized dictionaries stored decrypted inside rapp.binary in the assets, and the latter filters words by length. The letterMin and letterMax parameters for each process define the permitted range of word length. For DictProcessor, wordlistMatchMin sets a minimum threshold for dictionary word matches in an image. For WordNumProcessor, wordMin and wordMax define the acceptable range for the total number of recognized words. The rs field in the response to the request for registering an infected device controls which processor will be used.\r\n\r\n Images that match the search criteria are downloaded from the device in three steps. First, a request containing the image\u2019s MD5 hash is sent to /api/e/img/uploadedCheck on the C2. Next, the image is uploaded to either Amazon\u2019s cloud storage or to file@/api/res/send on the \u201crust\u201d server. After that, a link to the image is uploaded to /api/e/img/rekognition on the C2. So, the SDK, designed for analytics as suggested by the package name com.spark.stat, is actually malware that selectively steals gallery content.\r\n\r\n Uploading an image link\r\n\r\n We asked ourselves what kind of images the attackers were looking for. To find out, we requested from the C2 servers a list of keywords for OCR-based search. In each case, we received words in Chinese, Japanese, Korean, English, Czech, French, Italian, Polish and Portuguese. The terms all indicated that the attackers were financially motivated, specifically targeting recovery phrases also known as \u201cmnemonics\u201d that can be used to regain access to cryptocurrency wallets.\r\n\r\n { \"code\": 0, \"message\": \"success\", \"data\": { \"keywords\": [\"\u52a9\u8bb0\u8bcd\", \"\u52a9\u8a18\u8a5e\", \"\u30cb\u30fc\u30e2\u30cb\u30c3\u30af\", \"\uae30\uc5b5\ucf54\ub4dc\", \"Mnemonic\", \"Mnemotecnia\", \"Mn\u00e9monique\", \"Mnemonico\", \"Mnemotechnika\", \"Mnem\u00f4nico\", \"\ud074\ub9bd\ubcf4\ub4dc\ub85c\ubcf5\uc0ac\", \"\ubcf5\uad6c\", \"\ub2e8\uc5b4\", \"\ubb38\uad6c\", \"\uacc4\uc815\", \"Phrase\"] } } 123456789 { \"code\": 0, \"message\": \"success\", \"data\": { \"keywords\": [\"\u52a9\u8bb0\u8bcd\", \"\u52a9\u8a18\u8a5e\", \"\u30cb\u30fc\u30e2\u30cb\u30c3\u30af\", \"\uae30\uc5b5\ucf54\ub4dc\", \"Mnemonic\", \"Mnemotecnia\", \"Mn\u00e9monique\", \"Mnemonico\", \"Mnemotechnika\", \"Mnem\u00f4nico\", \"\ud074\ub9bd\ubcf4\ub4dc\ub85c\ubcf5\uc0ac\", \"\ubcf5\uad6c\", \"\ub2e8\uc5b4\", \"\ubb38\uad6c\", \"\uacc4\uc815\", \"Phrase\"] }} Unfortunately, ComeCome was not the only app we found embedded with malicious content. We discovered a number of additional, unrelated apps covering a variety of subjects. Combined, these apps had been installed over 242,000 times at the time of writing this, and some of them remained accessible on Google Play. A full inventory can be found under the Indicators of Compromise section. We alerted Google to the presence of infected apps in its store.\r\n\r\n Popular apps containing the malicious payload\r\n\r\n Furthermore, our telemetry showed that malicious apps were also being spread through unofficial channels.\r\n\r\n SDK features could vary slightly from app to app. Whereas the malware in ComeCome only requested permissions when the user opened the support chat, in some other cases, launching the core functionality acted as the trigger.\r\n\r\n ## One small detail\u2026\r\n\r\n As we analyzed the trojanized Android apps, we noticed how the SDK set deviceType to \u201candroid\u201d in device information it was sending to the C2, which suggested that a similar Trojan existed for other platforms.\r\n\r\n Collecting information about an infected Android device\r\n\r\n A subsequent investigation uncovered malicious apps in App Store infected with a framework that contained the same Trojan. For instance, ComeCome for iOS was infected in the same way as its Android version. This is the first known case of an app infected with OCR spyware being found in Apple\u2019s official app marketplace.\r\n\r\n The ComeCome page in the App Store\r\n\r\n Negative user feedback about ComeCome\r\n\r\n ## Malicious frameworks in App Store apps\r\n\r\n We detected a series of apps embedded with a malicious framework in the App Store. We cannot confirm with certainty whether the infection was a result of a supply chain attack or deliberate action by the developers. Some of the apps, such as food delivery services, appeared to be legitimate, whereas others apparently had been built to lure victims. For example, we saw several similar AI-featured \u201cmessaging apps\u201d by the same developer:\r\n\r\n Messaging apps in the App Store designed to lure victims\r\n\r\n Besides the malicious framework itself, some of the infected apps contained a **modify\\_gzip.rb** script in the root folder. It was apparently used by the developers to embed the framework in the app:\r\n\r\n The contents of **modify\\_gzip.rb**\r\n\r\n The framework itself is written in Objective-C and obfuscated with **HikariLLVM**. In the apps we detected, it had one of three names:\r\n\r\n \r\n 2. **GZIP;**\r\n 4. **googleappsdk;**\r\n 6. **stat.**\r\n \r\n As with the Android-specific version, the iOS malware utilized the **ML Kit** interface, which provided access to a Google OCR model trained to recognize text and a Rust library that implemented a custom C2 communication protocol. However, in this case, it was embedded directly into the malicious executable. Unlike the Android version, the iOS framework retained debugging symbols, which allowed us to identify several unique details:\r\n\r\n \r\n * The lines reveal the paths on the framework creators\u2019 device where the project was stored, including the user names: \r\n\t + **/Users/qiongwu/**: the project author\u2019s home directory\r\n\t + **/Users/quiwengjing/**: the Rust library creator\u2019s home directory \r\n * The C2-rust communication module was named **im\\_net\\_sys**. Besides the client, it contains code that the attackers\u2019 server presumably uses to communicate with victims.\r\n * The project\u2019s original name is **GZIP**.\r\n \r\n **Project details from code lines in the malicious framework**\r\n\r\n The framework contains several malicious classes. The following are of particular interest:\r\n\r\n \r\n * **MMMaker**: downloads a configuration and gathers information about the device.\r\n * **ApiMgr**: sends device data.\r\n * **PhotoMgr**: searches for photos containing keywords on the device and uploads them to the server.\r\n * **MMCore**: stores information about the C2 session.\r\n * **MMLocationMgr**: collects the current location of the device. It sent no data during our testing, so the exact purpose of this class remained unclear.\r\n \r\n Certain classes, such as **MMMaker**, could be missing or bear a different name in earlier versions of the framework, but this didn\u2019t change the malware\u2019s core functionality.\r\n\r\n Obfuscation significantly complicates the static analysis of samples, as strings are encrypted and the program\u2019s control flow is obscured. To quickly decrypt the strings of interest, we opted for dynamic analysis. We ran the application under Frida and captured a dump of the **\\_data** section where these strings were stored. What caught our attention was the fact that the app bundleID was among the decrypted data:\r\n\r\n **com.lc.btdj:** the **ComeCome** bundleID as used in the **+[MMCore config]** selector\r\n\r\nAs it turned out, the framework also stored other app bundle identifiers used in the **+[MMCore config]** selector. Our takeaways are as follows: \r\n 2. The Trojan can behave differently depending on the app it is running in.\r\n 4. There are more potentially infected apps than we originally thought.\r\n \r\n For the full list of bundle IDs we collected from decrypted strings in various framework samples, see the IoC section. Some of the apps associated with these IDs had been removed from the App Store at the time of the investigation, whereas others were still there and contained malicious code. Some of the IDs on the list referred to apps that did not contain the malicious framework at the time of this investigation.\r\n\r\n As with the Android-specific version, the Trojan implements three modes of filtering OCR output: keywords, word length, and localized dictionaries stored in encrypted form right inside the framework, in a \u201cwordlists\u201d folder. Unfortunately, we were unable to ascertain that the malware indeed made use of the last method. None of the samples we analyzed contained links to the dictionaries or accessed them while running.\r\n\r\n Sending selected photos containing keywords is a key step in the malicious framework\u2019s operation. Similar to the Android app, the Trojan requests permission to access the gallery only when launching the View Controller responsible for displaying the support chat. At the initialization stage, the Trojan, depending on the application it is running in, replaces the **viewDidLoad** or **viewWillAppear** method in the relevant controller with its own wrapper that calls the method **+[PhotoMgr startTask:]**. The latter then checks if the application has access to the gallery and requests it if needed. Next, if access is granted, **PhotoMgr** searches for photos that match sending criteria among those that are available and have not been processed before.\r\n\r\n The code snippet of the malicious wrapper around the viewDidLoad method that determines which application the Trojan is running in\r\n\r\n Although it took several attempts, we managed to make the app upload a picture to Amazon\u2019s cloud and then send information about it to the attackers\u2019 server. The app was using HTTPS to communicate with the server, not the custom \u201crust\u201d protocol:\r\n\r\n The communication with the C2 and upload to AWS\r\n\r\n The data being sent looks as follows:\r\n\r\n POST /api/e/img/uploadedCheck { \"imgSign\": , \"orgId\": , \"deviceId\": } 123456 POST /api/e/img/uploadedCheck{ \"imgSign\": , \"orgId\": , \"deviceId\": } \r\n\r\n POST api/e/img/rekognition { \"imgUrl\": \"https://dmbucket102.s3.ap-northeast- 1.amazonaws.com/\"\\_\"/photo\\_\"\".jpg\", \"deviceName\": \"ios\", \"appName\": , \"deviceUUID\": , \"imgSign\": , \"imgSize\": , \"orgId\":, \"deviceChannel\": , \"keyword\":, \"reksign\": } 1234567891011121314 POST api/e/img/rekognition{ \"imgUrl\": \"https://dmbucket102.s3.ap-northeast-1.amazonaws.com/\"\\_\"/photo\\_\"\".jpg\", \"deviceName\": \"ios\", \"appName\": , \"deviceUUID\": , \"imgSign\": , \"imgSize\": , \"orgId\":, \"deviceChannel\": , \"keyword\":, \"reksign\":} The oldest version of the malicious framework we were investigating was built on March 15, 2024. While it doesn\u2019t differ significantly from newer versions, this one contains more unencrypted strings, including API endpoints and a single, hardcoded C2 address. Server responses are received in plaintext.\r\n\r\n URLs hard-coded into the oldest version of the malicious framework\r\n\r\n File creation date in the app\r\n\r\n ## Campaign features\r\n\r\n While analyzing the Android apps, we found that the word processor code contained comments in Chinese. Error descriptions returned by the C2 server in response to malformed requests were also in Chinese. These, along with the name of the framework developer\u2019s home directory which we obtained while analyzing the iOS-specific version suggest that the creator of the malicious module speaks fluent Chinese. That being said, we have insufficient data to attribute the campaign to a known cybercrime gang.\r\n\r\n Our investigation revealed that the attackers were targeting crypto wallet recovery phrases, which were sufficient for gaining full control over a victim\u2019s crypto wallet to steal the funds. It must be noted that the malware is flexible enough to steal not just these phrases but also other sensitive data from the gallery, such as messages or passwords that might have been captured in screenshots. Multiple OCR results processing modes mitigate the effects of model errors that could affect the recognition of access recovery phrase images if only keyword processing were used.\r\n\r\n Our analysis of the malicious Rust code inside the iOS frameworks revealed client code for communicating with the \u201crust\u201d server and server-side encryption components. This suggests that the attackers\u2019 servers likely also use Rust for protocol handling.\r\n\r\n Server-side private RSA key import\r\n\r\n We believe that this campaign is targeting, at a minimum, Android and iOS users in Europe and Asia, as indicated by the following:\r\n\r\n \r\n * The keywords used were in various languages native to those who live in European and Asian countries.\r\n * The dictionaries inside assets were localized in the same way as the keywords.\r\n * Some of the apps apparently operate in several countries. Some food delivery apps support signing up with a phone number from the UAE, Kazakhstan, China, Indonesia, Zimbabwe and other countries.\r\n \r\n We suspect that mobile users in other regions besides Europe and Asia may have been targeted by this malicious campaign as well.\r\n\r\n One of the first malicious modules that we started our investigation with was named \u201cSpark\u201d. The bundle ID of the malicious framework itself, \u201cbigCat.GZIPApp\u201d, caught our attention when we analyzed the iOS-specific Trojan. Hence the name, \u201cSparkCat\u201d. The following are some of the characteristics of this malware:\r\n\r\n \r\n * Cross-platform compatibility;\r\n * The use of the Rust programming language, which is rarely found in mobile apps;\r\n * Official app marketplaces as a propagation vector;\r\n * Stealth, with C2 domains often mimicking legitimate services and malicious frameworks disguised as system packages;\r\n * Obfuscation, which hinders analysis and detection.\r\n \r\n ## Conclusion\r\n\r\n Unfortunately, despite rigorous screening by the official marketplaces and general awareness of OCR-based crypto wallet theft scams, the infected apps still found their way into Google Play and the App Store. What makes this Trojan particularly dangerous is that there\u2019s no indication of a malicious implant hidden within the app. The permissions that it requests may look like they are needed for its core functionality or appear harmless at first glance. The malware also runs quite stealthily. This case once again shatters the myth that iOS is somehow impervious to threats posed by malicious apps targeting Android. Here are some tips that can help you avoid becoming a victim of this malware:\r\n\r\n \r\n * If you have one of the infected apps installed on your device, remove it and avoid reinstalling until a fix is released.\r\n * Avoid storing screenshots with sensitive information, such as crypto wallets recovery phrases, in the gallery. You can store passwords, confidential documents and other sensitive information in special apps.\r\n * Use a robust security product on all your devices.\r\n \r\n Our security products return the following verdicts when detecting malware associated with this campaign:\r\n\r\n \r\n * HEUR:Trojan.IphoneOS.SparkCat.*\r\n * HEUR:Trojan.AndroidOS.SparkCat.*\r\n \r\n ## Indicators of compromise\r\n\r\n **Infected Android apps** \r\n 0ff6a5a204c60ae5e2c919ac39898d4f \r\n 21bf5e05e53c0904b577b9d00588e0e7 \r\n a4a6d233c677deb862d284e1453eeafb \r\n 66b819e02776cb0b0f668d8f4f9a71fd \r\n f28f4fd4a72f7aab8430f8bc91e8acba \r\n 51cb671292eeea2cb2a9cc35f2913aa3 \r\n 00ed27c35b2c53d853fafe71e63339ed \r\n 7ac98ca66ed2f131049a41f4447702cd \r\n 6a49749e64eb735be32544eab5a6452d \r\n 10c9dcabf0a7ed8b8404cd6b56012ae4 \r\n 24db4778e905f12f011d13c7fb6cebde \r\n 4ee16c54b6c4299a5dfbc8cf91913ea3 \r\n a8cd933b1cb4a6cae3f486303b8ab20a \r\n ee714946a8af117338b08550febcd0a9 \r\n 0b4ae281936676451407959ec1745d93 \r\n f99252b23f42b9b054b7233930532fcd \r\n 21bf5e05e53c0904b577b9d00588e0e7 \r\n eea5800f12dd841b73e92d15e48b2b71\r\n\r\n **iOS framework MD5s:** \r\n 35fce37ae2b84a69ceb7bbd51163ca8a \r\n cd6b80de848893722fa11133cbacd052 \r\n 6a9c0474cc5e0b8a9b1e3baed5a26893 \r\n bbcbf5f3119648466c1300c3c51a1c77 \r\n fe175909ac6f3c1cce3bc8161808d8b7 \r\n 31ebf99e55617a6ca5ab8e77dfd75456 \r\n 02646d3192e3826dd3a71be43d8d2a9e \r\n 1e14de6de709e4bf0e954100f8b4796b \r\n 54ac7ae8ace37904dcd61f74a7ff0d42 \r\n caf92da1d0ff6f8251991d38a840fb4a \r\n db128221836b9c0175a249c7f567f620\r\n\r\n **Trojan configuration in GitLab** \r\n hxxps://gitlab[.]com/group6815923/ai/-/raw/main/rel.json \r\n hxxps://gitlab[.]com/group6815923/kz/-/raw/main/rel.json\r\n\r\n **C2** \r\n api.firebaseo[.]com \r\n api.aliyung[.]com \r\n api.aliyung[.]org \r\n uploads.99ai[.]world \r\n socket.99ai[.]world \r\n api.googleapps[.]top\r\n\r\n **Photo storage** \r\n hxxps://dmbucket102.s3.ap-northeast-1.amazonaws[.]com\r\n\r\n **Names of Infected Android APKs from Google Play** \r\n com.crownplay.vanity.address \r\n com.atvnewsonline.app \r\n com.bintiger.mall.android \r\n com.websea.exchange \r\n org.safew.messenger \r\n org.safew.messenger.store \r\n com.tonghui.paybank \r\n com.bs.feifubao \r\n com.sapp.chatai \r\n com.sapp.starcoin\r\n\r\n **BundleIDs encrypted inside the iOS frameworks** \r\n im.pop.app.iOS.Messenger \r\n com.hkatv.ios \r\n com.atvnewsonline.app \r\n io.zorixchange \r\n com.yykc.vpnjsq \r\n com.llyy.au \r\n com.star.har91vnlive \r\n com.jhgj.jinhulalaab \r\n com.qingwa.qingwa888lalaaa \r\n com.blockchain.uttool \r\n com.wukongwaimai.client \r\n com.unicornsoft.unicornhttpsforios \r\n staffs.mil.CoinPark \r\n com.lc.btdj \r\n com.baijia.waimai \r\n com.ctc.jirepaidui \r\n com.ai.gbet \r\n app.nicegram \r\n com.blockchain.ogiut \r\n com.blockchain.98ut \r\n com.dream.towncn \r\n com.mjb.Hardwood.Test \r\n com.galaxy666888.ios \r\n njiujiu.vpntest \r\n com.qqt.jykj \r\n com.ai.sport \r\n com.feidu.pay \r\n app.ikun277.test \r\n com.usdtone.usdtoneApp2 \r\n com.cgapp2.wallet0 \r\n com.bbydqb \r\n com.yz.Byteswap.native \r\n jiujiu.vpntest \r\n com.wetink.chat \r\n com.websea.exchange \r\n com.customize.authenticator \r\n im.token.app \r\n com.mjb.WorldMiner.new \r\n com.kh-super.ios.superapp \r\n com.thedgptai.event \r\n com.yz.Eternal.new \r\n xyz.starohm.chat \r\n com.crownplay.luckyaddress1\r\n\r\n \r\n * Apple iOS\r\n * Cryptocurrencies\r\n * Google Android\r\n * Malware\r\n * Malware Descriptions\r\n * Malware Technologies\r\n * Mobile Malware\r\n * Trojan\r\n * Trojan-stealer\r\n \r\n Authors\r\n\r\n \r\n * Dmitry Kalinin \r\n * Sergey Puzan", "id": "86", "event_id": "466", "timestamp": "1739032234", "deleted": false } ] } }