Cyber999 Advisories

1.0 Introduction
The Cyber999 Incident Response Centre has recently been alerted to a new cybersecurity threat identified by Kaspersky, known as SparkCat. This malware has infiltrated both the Google Play Store and Apple App Store, posing a serious risk to mobile users in Malaysia. SparkCat is designed to steal sensitive information using Optical Character Recognition (OCR) technology, enabling it to extract credentials, financial details, and cryptocurrency wallet information from screenshots and text input.

2.0 Impact
The SparkCat given its ability to bypass official app store security measures, which can cause significant risk of data breaches, financial fraud, and unauthorised access to user accounts.

3.0 Affected System
Android & IOS

4.0 Indicators of Compromise
4.1 Infected Android apps

• 0ff6a5a204c60ae5e2c919ac39898d4f
• 21bf5e05e53c0904b577b9d00588e0e7
• a4a6d233c677deb862d284e1453eeafb
• 66b819e02776cb0b0f668d8f4f9a71fd
• f28f4fd4a72f7aab8430f8bc91e8acba
• 51cb671292eeea2cb2a9cc35f2913aa3
• 00ed27c35b2c53d853fafe71e63339ed
• 7ac98ca66ed2f131049a41f4447702cd
• 6a49749e64eb735be32544eab5a6452d
• 10c9dcabf0a7ed8b8404cd6b56012ae4
• 24db4778e905f12f011d13c7fb6cebde
• 4ee16c54b6c4299a5dfbc8cf91913ea3
• a8cd933b1cb4a6cae3f486303b8ab20a
• ee714946a8af117338b08550febcd0a9
• 0b4ae281936676451407959ec1745d93
• f99252b23f42b9b054b7233930532fcd
• 21bf5e05e53c0904b577b9d00588e0e7
• eea5800f12dd841b73e92d15e48b2b71

4.2 iOS framework MD5s:

• 35fce37ae2b84a69ceb7bbd51163ca8a
• cd6b80de848893722fa11133cbacd052
• 6a9c0474cc5e0b8a9b1e3baed5a26893
• bbcbf5f3119648466c1300c3c51a1c77
• fe175909ac6f3c1cce3bc8161808d8b7 \
• 31ebf99e55617a6ca5ab8e77dfd75456
• 02646d3192e3826dd3a71be43d8d2a9e
• 1e14de6de709e4bf0e954100f8b4796b
• 54ac7ae8ace37904dcd61f74a7ff0d42
• caf92da1d0ff6f8251991d38a840fb4a
• db128221836b9c0175a249c7f567f620

4.3 Trojan configuration in GitLab

• hxxps://gitlab[.]com/group6815923/ai/-/raw/main/rel.json
• hxxps://gitlab[.]com/group6815923/kz/-/raw/main/rel.json

4.4 C2

• api.firebaseo[.]com
• api.aliyung[.]com
• api.aliyung[.]org
• uploads.99ai[.]world
• socket.99ai[.]world
• api.googleapps[.]top

4.5 Photo storage

• hxxps://dmbucket102.s3.ap-northeast-1.amazonaws[.]com

4.6 Infected Android APKs from Google Play

• com.crownplay.vanity.address
• com.atvnewsonline.app
• com.bintiger.mall.android
• com.websea.exchange
• org.safew.messenger
• org.safew.messenger.store
• com.tonghui.paybank
• com.bs.feifubao
• com.sapp.chatai
• com.sapp.starcoin

4.7 BundleIDs encrypted inside the iOS frameworks

• im.pop.app.iOS.Messenger
• com.hkatv.ios
• com.atvnewsonline.app
• io.zorixchange
• com.yykc.vpnjsq
• com.llyy.au
• com.star.har91vnlive
• com.jhgj.jinhulalaab
• com.qingwa.qingwa888lalaaa
• com.blockchain.uttool
• com.wukongwaimai.client
• com.unicornsoft.unicornhttpsforios
• staffs.mil.CoinPark
• com.lc.btdj
• com.baijia.waimai
• com.ctc.jirepaidui
• com.ai.gbet
• app.nicegram
• com.blockchain.ogiut
• com.blockchain.98ut
• com.dream.towncn
• com.mjb.Hardwood.Test
• com.galaxy666888.ios
• njiujiu.vpntest
• com.qqt.jykj
• com.ai.sport
• com.feidu.pay
• app.ikun277.test
• com.usdtone.usdtoneApp2
• com.cgapp2.wallet0
• com.bbydqb
• com.yz.Byteswap.native
• jiujiu.vpntest
• com.wetink.chat
• com.websea.exchange
• com.customize.authenticator
• im.token.app
• com.mjb.WorldMiner.new
• com.kh-super.ios.superapp
• com.thedgptai.event
• com.yz.Eternal.new
• xyz.starohm.chat
• com.crownplay.luckyaddress1

5.0 Recommendations
CyberSecurity Malaysia advises users to follow the steps given below to protect themselves from becoming victims.

• Immediately uninstall any SparkCat infected applications from your device as they steal sensitive data, including cryptocurrency wallet information, using OCR technology.
• Regularly review and limit app permissions, especially for access to camera, storage, or clipboard, and revoke unnecessary access to sensitive data like passwords or wallet information.
• Install reputable mobile security solutions that can detect and block malicious apps like SparkCat, offering real-time protection against emerging threats.
• Enable two-factor authentication (2FA) to provide an extra layer of protection for all accounts involving sensitive or financial data
• Regularly monitor your financial and crypto accounts for unauthorized transactions and report any suspicious activity to the relevant authorities or service provider immediately.
• Ensure that both your device’s operating system and apps are kept up to date with the latest security patches.
• Avoid downloading apps from unofficial sources and stick to trusted platforms like Google Play Store and Apple App Store, while remaining cautious as official stores can still host malicious apps.
• Regularly backup important data, especially financial and crypto assets, using secure cloud services or offline storage methods.

For further enquiries, please contact us through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 08:30 -17:30 MYT 
Web:  https://www.mycert.org.my  

6.0 References

• https://www.kaspersky.com/blog/ios-android-ocr-stealer-sparkcat/52980/
• https://securelist.com/sparkcat-stealer-in-app-store-and-google-play/115385/
• https://www.betterworldtechnology.com/post/sparkcat-malware-a-new-threat-to-crypto-wallets-on-mobile-devices