A newly discovered malware that has infiltrated popular mobile apps to steal cryptocurrency wallet private keys has been downloaded over 200,000 times.
SparkCat, a malware targeting both Android and iOS users, spreads through malicious software development kits embedded in seemingly harmless apps, cybersecurity firm Kaspersky warned in a Feb. 4 report.
It uses optical character recognition, a technology that reads text from images, to scan through a victim’s photo gallery, hunting for crypto wallet recovery phrases hidden in screenshots or saved notes.
The malware has been active since March 2024, and some of these infected apps, including food delivery and AI-powered messaging apps, were available on Google Play and the App Store. It is also the first known instance of an OCR-based stealer reaching Apple’s platform.
How does SparkCat work?
On Android, the malware is injected via a Java-based SDK called Spark, which disguises itself as an analytics module. When an infected app is launched, Spark retrieves an encrypted configuration file from a remote GitLab repository.
Once active, SparkCat uses Google ML Kit’s OCR tool to scan the device’s image gallery. It searches for specific keywords related to crypto wallet recovery phrases across multiple languages, including English, Chinese, Korean, Japanese, and several European languages.
The malware then uploads the image to an attacker-controlled server, either via Amazon cloud storage or a Rust-based protocol, which adds an extra layer of complexity in tracking its activity due to encrypted data transfers and non-standard communication methods.
On iOS, SparkCat operates through a malicious framework embedded in the infected apps, disguised under names like GZIP, googleappsdk, or stat. This framework, written in Objective-C and obfuscated with HikariLLVM, integrates with Google ML Kit to extract text from images in the gallery.
To avoid raising suspicion, the iOS version only requests gallery access when users perform specific actions, such as opening a support chat.
The report also warned that the “flexibility of the malware” allows it to steal other sensitive data like “content of messages or passwords that could remain on screenshots.”
Several users at risk
Kaspersky estimates that the malware has infected over 242,000 devices across Europe and Asia. While the exact origin remains unknown, embedded comments in the code and error messages suggest that the malware’s developers are fluent in Chinese.
Researchers at Kaspersky urge users to avoid storing important information like seed phrases, private keys and passwords within screenshots.
Sophisticated malware campaigns remain a consistent threat within the crypto space, and this is not the first time bad actors have managed to bypass Google and Apple’s store security measures.
In September 2024, crypto exchange Binance flagged the “Clipper malware,” which infected devices via unofficial mobile apps and plugins and replaced the victim’s copied wallet address with one controlled by the attacker to trick them into transferring crypto to the wrong destination.
Meanwhile, private key theft has dealt serious damage to the crypto industry, being one of the main reasons behind some of its biggest losses yet.
