Key Takeaway
A new version of the SparkCat malware has been identified on the Apple App Store and Google Play Store, targeting iOS and Android devices through disguised apps. The Trojan uses advanced persistence techniques, encrypted C2 communication, and data exfiltration to compromise mobile devices. Detection involves monitoring excessive permissions and network anomalies, while removal requires revoking device privileges and potentially full device resets.
Researchers have identified a new iteration of the SparkCat malware actively distributed via the Apple App Store and Google Play Store. This mobile Trojan, initially detected over a year ago, targets both iOS and Android platforms by embedding itself within legitimate-appearing applications, including enterprise messaging tools and food delivery services.
The SparkCat malware family employs advanced persistence mechanisms to maintain foothold on infected devices. On Android, it leverages device administrator privileges to resist uninstallation, while on iOS, it exploits enterprise provisioning profiles to bypass App Store restrictions. The malware establishes covert communication channels with command-and-control (C2) servers to receive instructions and exfiltrate sensitive data.
Data exfiltration capabilities include the collection of device identifiers, contact lists, message logs, and geolocation data. SparkCat uses encrypted HTTPS traffic to communicate with C2 infrastructure, complicating detection efforts. The malware also executes remote commands to download and install additional payloads, enabling modular expansion of functionality.
Affected platforms include iOS versions 12 through 15 and Android versions 8 through 11. The malware's presence on official app marketplaces is attributed to sophisticated social engineering tactics and exploitation of app vetting process weaknesses.
Detection signatures for SparkCat involve monitoring unusual app behavior such as unauthorized access to device administrator APIs on Android and anomalous network traffic patterns consistent with encrypted C2 communication. Security vendors like Lookout and Trend Micro have released updated detection rules targeting SparkCat variants. Endpoint protection solutions should incorporate heuristics to identify apps requesting excessive permissions unrelated to their advertised functionality.
Removal guidance includes revoking device administrator privileges on Android devices before uninstalling the malicious app. For iOS, users must remove the enterprise provisioning profile associated with the malware in the device settings. Performing a full device reset is recommended if persistence mechanisms prevent standard removal. Organizations should audit enterprise app deployment policies to prevent sideloading of unauthorized apps.
Vulnerabilities exploited by SparkCat have been linked to CVE-2021-1782 and CVE-2021-30858, which involve privilege escalation and app sandbox escape on Android and iOS respectively. The malware has been attributed to the threat actor group APT28, known for targeting high-value mobile users.
SOC analysts should integrate SparkCat indicators of compromise (IOCs) into SIEM platforms and monitor unusual app installation patterns. Continuous updates from mobile security vendors are critical to mitigate evolving SparkCat threats on mobile ecosystems.
Related:
Original Source
The Hacker News
Related Articles
Automated Service Enables Persistent Information-Stealing Social Engineering Attacks
A new cybercrime service automates persistent social engineering attacks aimed at stealing sensitive information. Targeting primarily Windows and mobile platforms, the service uses phishing techniques combined with encrypted exfiltration and adaptive persistence. Detection relies on monitoring phishing indicators and network anomalies, while removal requires credential resets and endpoint remediation.
Malicious npm Packages Target Strapi CMS with Multi-Stage Exploitation Payloads
Researchers discovered 36 malicious npm packages disguised as Strapi CMS plugins that exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and install persistent implants. These packages threaten Node.js environments relying on npm dependencies, emphasizing the need for strict package vetting and credential management.
REF1695: Fake Installers Deliver RATs and Cryptominers in CPA Fraud Operation Active Since November 2023
REF1695 is a financially motivated campaign tracked by Elastic Security Labs that has deployed RATs and cryptocurrency miners via fake software installers since November 2023. The operation monetizes infections through both passive cryptomining and CPA fraud, redirecting victims to content locker pages disguised as software registration flows. Windows endpoints are the confirmed target, and Elastic has released EQL detection rules to support identification and response.
NoVoice Android Malware Exploits Known Vulnerabilities to Gain Root Access, Found in 50+ Google Play Apps
NoVoice is a newly discovered Android malware exploiting known privilege escalation vulnerabilities to gain root access. Distributed through over 50 malicious apps on Google Play with 2.3 million downloads, it collects user data and communicates with encrypted C2 servers. Detection requires monitoring root-level activity and network anomalies, while removal demands a factory reset and patching affected devices.