Malware on Google Play and Apple App Store Stole Your Photos and Crypto
Malware on Google Play and Apple App Store Stole Your Photos and Crypto
Malware on Google Play and Apple App Store Stole Your Photos and Crypto
Information
In today’s digital world, smartphones are deeply integrated into our daily lives. Most users regularly download apps from trusted platforms like Google Play Store and Apple App Store, believing these marketplaces are safe. However, a recent discovery has shaken that confidence: malware-infected apps have made their way into both stores, and they don’t just steal personal photos they target your cryptocurrency.
The malicious apps uncovered in this incident are categorized as Data Stealers and Clipboard Hijackers. Disguised as photo editors, note-taking tools, or crypto portfolio trackers, these apps ask for permissions such as Access to photos and camera, Clipboard access, Background activity permissions. Once granted, the apps scan your device for sensitive data, especially Seed Phrases used in cryptocurrency wallets.
What is a Seed Phrase? A Seed Phrase is a sequence of 12 or 24 randomly generated words that serve as a master key to access or restore your crypto wallet (e.g., MetaMask, Trust Wallet, Ledger).Anyone who knows your Seed Phrase has full control over your crypto assets.
These apps steal seed phrases in various ways:
- Scanning copied text from the clipboard
- Searching for screenshots or notes stored on the device
- Using fake overlays mimicking wallet apps to trick users into entering their seed phrase
Incident
In mid-2025, cybersecurity researchers discovered several malicious apps available on both Google Play and the Apple App Store. These apps appeared legitimate and had innocent-sounding names such as:
- AI Photo Editor Pro
- Beauty Camera Vault
- Private Notes Keeper
- Crypto Portfolio Monitor
After installation, the apps secretly:
- Exfiltrated photos from users' devices
- Scanned the clipboard for potential crypto credentials or seed phrases
- Displayed fake login or recovery screens resembling real crypto apps
- Sent all stolen data to attacker-controlled servers
Over 80,000 users worldwide were affected, and total losses exceeded $2.3 million USD in stolen cryptocurrency. The apps were eventually removed from the stores, but the damage had already been done.This incident highlights a harsh truth: Even trusted app stores are not immune to malware infiltration.
Recommendation
- Check before you install : Read app reviews and ratings, Verify the developer's identity and Avoid apps with suspicious names or low download counts.
- Be cautious with permissions : Don’t grant access to your photos, camera, or clipboard unless absolutely necessary. Regularly review app permissions in your device settings
- Never store your seed phrase on your phone : Do not take screenshots, save in Notes, or copy it to the clipboard. Write it down on paper and store it in a secure place offline
- Use a hardware wallet for crypto Devices like Ledger or Trezor are much safer than software wallets on mobile
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)
References
- https://www.bleepingcomputer.com/news/security/malware-on-google-play-app-store-stole-your-photos-and-crypto/
- https://securelist.com/sparkkitty-ios-android-malware/116793/
- https://www.kaspersky.com/about/press-releases/kaspersky-has-discovered-sparkkitty-a-new-trojan-spy-on-app-store-and-google-play
Weekly Interesting CVE | EN
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2025-6218 |
06/20/2025 |
06/25/2025 |
RARLAB WinRAR |
Directory Traversal Remote Code Execution |
7.8 |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of RARLAB WinRAR. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of file paths within archive files. A crafted file path can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27198. |
Update to version 7.12 or latest version |
|
| 2 |
CVE-2025-49144 |
06/23/2025 |
06/23/2025 |
Notepad++ versions 8.8.1 and prior |
privilege escalation |
7.3 |
In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. |
Update to version 8.8.2 or latest version |
|
| 3 |
CVE-2025-36038 |
25/6/2025 |
26/6/2025 |
IBM WebSphere Application Server 8.5 and 9.0 |
Remote Code Execution |
9.0 |
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects. |
For V9.0.0.0 through 9.0.5.24 : Apply Fix Pack 9.0.5.25 or later |
https://www.ibm.com/support/pages/node/7237967
|
| 4 |
CVE-2024-52928 |
26/6/2025 |
27/6/2025 |
Arc before 1.26.1 on Windows |
Site settings bypass |
9.6 |
Arc before 1.26.1 on Windows has a bypass issue in the site settings that allows websites (with previously granted permissions) to add new permissions when the user clicks anywhere on the website. |
Update to versions or later |
https://arc.net/security/bulletins#windows-site-settings-bypass-cve-2024-52928 |
| 5 |
CVE-2025-3279 |
26/6/2025 |
26/6/2025 |
GitLab Community Edition (CE) and Enterprise Edition (EE) from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 |
Denial of Service (DoS) |
6.5 |
An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests. |
Update to versions 17.11.5, 18.0.3,18.1.1 or later |
https://www.cvedetails.com/cve/CVE-2025-3279/
|
Malware News or Campaign IOC/IOA | EN
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
Ransomware gangs increasingly use Skitnet post-exploitation malware |
16/05/2025 |
Ransomware, Command and Control (C2) Server |
The increasing threat of ransomware attacks is being seen using a malware called Skitnet (Bossnet). According to Prodaft researchers, the malware was discovered in 2024, but has been increasingly used in 2025 and can be found on the “RAMP” platform. They also say that such incidents are often used after a successful phishing attack, with BlackBasta always used to launch a phishing attack against Microsoft Teams first. The Skitnet functionality calls a NIM payload to establish a connection to the C2 server and generates a random DNS, allowing a reverse shell to execute commands as desired by the attacker. It also includes Anydesk for remote access to the victim machine, and uses system settings to screen capture machine data using Powershell and send it to the C2 server Since RaaS (Rasnsomware as a Service) is expensive, attackers are interested in deploying malware in stages to reduce costs, which will lead to a spike in attacks in 2025. |
|
Ref: https://www.bleepingcomputer.com/news/security/ransomware-gangs-increasingly-use-skitnet-post-exploitation-malware/
08 July 2025
Viewed 233 time
