New Crypto-Stealing Malware Targets Android and iOS Users with Advanced Evasion Tactics
Researchers at Kaspersky Lab have uncovered an evolved variant of the SparkCat malware, a sophisticated cryptocurrency stealer now targeting both Android and iOS users with enhanced obfuscation techniques. The threat, actively developed by a likely Chinese- or Russian-speaking operator, employs code virtualization, cross-platform programming languages, and dead-drop command-and-control (C2) infrastructure to evade detection.
Android Variant: Multi-Layered Espionage
The Android version of SparkCat is distributed via social engineering, masquerading as cracked tools for credential checking (e.g., Netflix Hunter Combo Tool, Steam Combo Extractor). Once installed, it:
- Scans for keywords in Japanese, Korean, and Chinese, indicating a focus on Asian markets.
- Collects system data, running processes, installed apps, and screenshots.
- Steals credentials from Chromium-based browsers, crypto wallets, email clients, messengers (Telegram, Discord), and VPN apps.
- Searches photo galleries for crypto-wallet seed phrases.
- Mimics legitimate traffic by using Spotify and Chess.com profiles to hide C2 communications.
iOS Variant: Global Threat via Seed-Phrase Theft
The iOS version bypasses regional targeting by scanning for English-language crypto-wallet mnemonic phrases, broadening its reach. Like its Android counterpart, it operates stealthily, extracting sensitive data while avoiding traditional detection methods.
Dead-Drop C2 and Real-Time Taunting
A key innovation is the malware’s use of dead-drop resolvers, storing C2 addresses in public profiles (e.g., Chess.com’s "about" field) to rotate infrastructure dynamically. The operators also deploy a "Rofl" panel, allowing them to:
- Swap crypto-wallet addresses in the clipboard.
- Disable system tools (Task Manager, cmd.exe).
- Manipulate user interfaces (rotating screens, jittering cursors, locking input).
- Open chat dialogs to taunt victims in real time.
Broader Cybercrime Context
The discovery coincides with other high-profile incidents:
- Jonathan Spalletta (alias Cthulhon) was charged with stealing $53M from Uranium Finance (a BNB Chain DEX) in 2021, laundering funds through mixers and DEXs.
- MaskGram stealer was found using Spotify and Chess.com profiles to hide C2 servers.
- The European Commission confirmed a data breach after a ShinyHunters attack, though operations remained unaffected.
Impact and Evolution
SparkCat’s rapid development, cross-platform reach, and psychological manipulation tactics signal a growing threat to crypto users, gamers, and corporate targets. Its ability to blend into legitimate traffic and adapt to regional preferences underscores the sophistication of modern cybercrime operations. Researchers warn that victim numbers are expected to rise as the campaign expands.
BleepingComputer cybersecurity rating report: https://www.rankiteo.com/company/bleepingcomputer
"id": "BLE1775291298",
"linkid": "bleepingcomputer",
"type": "Cyber Attack",
"date": "2/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Cryptocurrency',
'Gaming',
'General Public'],
'location': ['Asia (Japan, Korea, China)',
'Global (iOS variant)'],
'type': 'Individual Users'}],
'attack_vector': ['Social Engineering', 'Trojanized Cracked Tools'],
'data_breach': {'data_exfiltration': 'Yes',
'file_types_exposed': ['Images (for seed phrases)',
'Text (credentials)'],
'personally_identifiable_information': 'Yes (Crypto-wallet '
'seed phrases, '
'credentials)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Crypto-wallet seed phrases',
'System metadata',
'Browser data',
'Messenger data',
'VPN data',
'Photos']},
'description': 'Researchers at Kaspersky Lab have uncovered an evolved '
'variant of the SparkCat malware, a sophisticated '
'cryptocurrency stealer targeting both Android and iOS users. '
'The malware employs code virtualization, cross-platform '
'programming languages, and dead-drop command-and-control (C2) '
'infrastructure to evade detection. It steals credentials, '
'crypto-wallet seed phrases, and manipulates user interfaces '
'while hiding C2 communications via public profiles like '
'Spotify and Chess.com.',
'impact': {'data_compromised': ['Credentials',
'Crypto-wallet seed phrases',
'System data',
'Installed apps',
'Screenshots',
'Browser data',
'Messenger data (Telegram, Discord)',
'VPN app data',
'Photo galleries'],
'identity_theft_risk': 'High',
'payment_information_risk': 'High (Cryptocurrency)',
'systems_affected': ['Android', 'iOS']},
'initial_access_broker': {'entry_point': 'Trojanized Cracked Tools',
'high_value_targets': ['Crypto-wallet users',
'Gamers']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The incident highlights the growing sophistication of '
'cross-platform malware, the use of dead-drop C2 '
'infrastructure, and the targeting of crypto users through '
'social engineering and psychological manipulation.',
'motivation': 'Financial Gain (Cryptocurrency Theft)',
'post_incident_analysis': {'corrective_actions': ['Enhanced detection for '
'code virtualization and '
'dead-drop C2 techniques',
'Public awareness campaigns '
'on crypto-wallet security',
'Improved monitoring of '
'clipboard activity and UI '
'manipulation'],
'root_causes': ['Social engineering (trojanized '
'cracked tools)',
'Lack of user awareness',
'Use of dead-drop C2 '
'infrastructure for evasion',
'Cross-platform malware '
'development']},
'recommendations': ['Avoid downloading cracked or pirated software.',
'Monitor clipboard activity for unauthorized '
'crypto-wallet address swaps.',
'Use hardware wallets for cryptocurrency storage.',
'Enable multi-factor authentication (MFA) for all '
'accounts.',
'Regularly audit installed apps and running processes.',
'Educate users on recognizing social engineering '
'tactics.'],
'references': [{'source': 'Kaspersky Lab'},
{'source': 'Jonathan Spalletta (Cthulhon) Case'},
{'source': 'European Commission Data Breach (ShinyHunters)'}],
'response': {'third_party_assistance': 'Kaspersky Lab'},
'threat_actor': ['Chinese-speaking operator', 'Russian-speaking operator'],
'title': 'New Crypto-Stealing Malware Targets Android and iOS Users with '
'Advanced Evasion Tactics',
'type': 'Malware (Cryptocurrency Stealer)'}