A newly discovered malware that has infiltrated popular mobile apps to steal cryptocurrency wallet private keys has been downloaded more than 200,000 times.
Sparkcat, a malware that focuses on both Android and iOS users, spreads through malignant software development kits embedded in apparently innocent apps, warned cyber security company Kaspersky in a 4 February report.
It uses optical character recognition, a technology that reads text of images, to scan through the photo gallery of a victim, hunting for crypto wallet recovery sentences hidden in screenshots or stored notes.
The malware has been active since March 2024, and some of these infected apps, including food delivery and AI-driven messages apps, were available on Google Play and the App Store. It is also the first known body of an OCR-based stealer that reaches the Apple platform.
How does Sparkcat work?
On Android, the malware is injected via a Java-based SDK called Spark, which disguises itself as an analysis module. When an infected app is started, Spark picks up a coded configuration file from an external Gitlab repository.
Once active, SparkCat uses the OCR tool of Google ML Kit to scan the image gallery of the device. It looks for specific keywords with regard to crypto wallet recovery sentences in several languages, including English, Chinese, Korean, Japanese and various European languages.
The malware then uploads the image to an attacker-controlled server, either via Amazon Cloud storage or a rust-based protocol, which adds an extra low complexity when keeping the activity by coded data transfers and non-standard communication methods.
On iOS, SparkCat works by a malignant framework embedded in the infected apps, disguised under names such as GZIP, GoogleAppSDK or Stat. This framework, written in Objective-C and obscured with HikarillVM, integrates with Google ML Kit to extract text from images in the gallery.
To prevent the suspicion, the iOS version only asks for access gallery access when users perform specific actions, such as opening a support treasure.
The report also warned that the “flexibility of the malware” makes it possible to steal other sensitive data, such as “content of messages or passwords that can stay on screenshots.”
Different users are at risk
Kaspersky estimates that the malware has infected more than 242,000 devices in Europe and Asia. Although the exact origin remains unknown, embedded comments in the code and error messages suggest that the developers of the malware flow fluent Chinese.
Researchers from Kaspersky urge users to prevent important information such as seed sentences, private keys and passwords being stored in screenshots.
Advanced Malware campaigns remain a consistent threat within the crypto space, and this is not the first time that bad actors have succeeded in circumventing Google and the shopping security measures from Apple.
In September 2024, Crypto Exchange Binance marked the “Clipper Malware”, which infected devices via unofficial mobile apps and plug -ins and the copied wallet of the victim by controlling the attacker to mislead them to transfer crypto to the Wrong destination.
In the meantime, private key theft has caused serious damage to the crypto industry, one of the main reasons for some of the greatest losses to date.
