SecureList recently published a study of Android and iOS apps that have been laced with a malicious software development kit (SDK) dubbed “SparkCat” that steals crypto wallet recovery phrases. The infected apps on Google Play have been downloaded 242,000+ times. The malicious apps were also probably the first stealers made available on Apple’s App Store. Based on the malware time stamps and configuration file creation dates found in GitLab repositories, SparkCat has been active since March 2024.

The report “Take My Money: OCR Crypto Stealers in Google Play and App Store” identified five domains as indicators of compromise (IoCs), which the WhoisXML API research team expanded through a DNS intelligence analysis. We uncovered various connected web properties comprising:

• 611 email-connected domains, one of which turned out to be malicious
• 179 string-connected domains, one of which has already been weaponized for attacks

A sample of the additional artifacts obtained from our analysis is available for download from our website.

More about the SparkCat IoCs

As is our usual first step in expanding IoC lists, we sought to obtain more information about the IoCs. We queried the five domains identified as IoCs on Bulk WHOIS API and found that:

• They were fairly new domains. Specifically, two were created in 2023 and three in 2024.

  

• They were split between two registrars led by Dominet, which accounted for four domains. One domain was administered by Dynadot.

  

• Only two of the domains had registrant countries in their current WHOIS records, that is, Lao People’s Democratic Republic (PDR).

A query for the five domains on DNS Chronicle API showed that only two had historical IP resolutions. Specifically, they had two IP resolutions. The domain with the older first IP resolution date—19 October 2023—was aliyung[.]com. The domain googleapps[.]top, meanwhile, recorded its first IP resolution on 24 December 2023.

SparkCat IoC List Expansion Analysis Findings

We started our search for connected artifacts by querying the five domains identified as IoCs on WHOIS History API. Two of them had 11 email addresses in their historical WHOIS records after duplicates were filtered out. A closer examination of the 11 email addresses revealed that six of them were public addresses.

We then queried the six public email addresses on Reverse WHOIS API and found that none of them appeared in the current WHOIS records of other domains. So, we dug deeper. Another query, this time accessing historical WHOIS records, revealed that three of the email addresses were likely not owned by domainers and had existing connections. In particular, they appeared in the historical WHOIS records of 611 email-connected domains after duplicates and those already identified as IoCs were filtered out.

A Threat Intelligence API query for the 611 email-connected domains showed that one of them—atozb[.]com—was associated with a generic threat.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.