![]() |
||
|
SecureList recently published a study of Android and iOS apps that have been laced with a malicious software development kit (SDK) dubbed “SparkCat” that steals crypto wallet recovery phrases. The infected apps on Google Play have been downloaded 242,000+ times. The malicious apps were also probably the first stealers made available on Apple’s App Store. Based on the malware time stamps and configuration file creation dates found in GitLab repositories, SparkCat has been active since March 2024.
The report “Take My Money: OCR Crypto Stealers in Google Play and App Store” identified five domains as indicators of compromise (IoCs), which the WhoisXML API research team expanded through a DNS intelligence analysis. We uncovered various connected web properties comprising:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
As is our usual first step in expanding IoC lists, we sought to obtain more information about the IoCs. We queried the five domains identified as IoCs on Bulk WHOIS API and found that:
They were split between two registrars led by Dominet, which accounted for four domains. One domain was administered by Dynadot.
A query for the five domains on DNS Chronicle API showed that only two had historical IP resolutions. Specifically, they had two IP resolutions. The domain with the older first IP resolution date—19 October 2023—was aliyung[.]com. The domain googleapps[.]top, meanwhile, recorded its first IP resolution on 24 December 2023.
We started our search for connected artifacts by querying the five domains identified as IoCs on WHOIS History API. Two of them had 11 email addresses in their historical WHOIS records after duplicates were filtered out. A closer examination of the 11 email addresses revealed that six of them were public addresses.
We then queried the six public email addresses on Reverse WHOIS API and found that none of them appeared in the current WHOIS records of other domains. So, we dug deeper. Another query, this time accessing historical WHOIS records, revealed that three of the email addresses were likely not owned by domainers and had existing connections. In particular, they appeared in the historical WHOIS records of 611 email-connected domains after duplicates and those already identified as IoCs were filtered out.
A Threat Intelligence API query for the 611 email-connected domains showed that one of them—atozb[.]com—was associated with a generic threat.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byCSC
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com