In a troubling development, cybersecurity researchers at Kaspersky have uncovered a sophisticated malware campaign targeting both iOS and Android devices. Known as SparkCat, this malware leverages optical character recognition (OCR) technology to scan users’ photo galleries and extract sensitive cryptocurrency wallet information, specifically recovery phrases, from screenshots. The malicious apps harboring this malware were discovered on both Google Play and Apple’s App Store, marking the first known instance of such an attack within Apple’s ecosystem.
The SparkCat malware was first identified in late 2024, but its origins trace back to March of the same year. It operates by requesting access to users’ photo galleries when they interact with support features in the infected apps. Upon receiving permission, the malware uses OCR technology—specifically, Google’s ML Kit library—to scan images for recognizable keywords, such as recovery phrases associated with cryptocurrency wallets. If the malware detects an image containing a recovery phrase, it sends it back to a command-and-control server where the attackers can use the extracted information to compromise the victim’s crypto wallet.
Kaspersky’s research reveals that the malware was embedded in at least 18 Android apps and 10 iOS apps, some of which have been downloaded hundreds of thousands of times. For example, apps like ComeCome, a food delivery service, were found to harbor the malware on both platforms. WeTink and AnyGPT, two AI-based chat apps, were also infected. Although Google has taken action to remove most of the affected Android apps from its store, some are still available, continuing to pose a risk. The situation with iOS apps is similar, with Kaspersky reporting that some remain on the App Store.
The true origin of SparkCat is still unclear. Kaspersky has not confirmed whether the malware was intentionally introduced by developers or if it was the result of a supply chain attack. However, the use of a Rust-based communication protocol for interacting with command-and-control servers is notable. This technique, which is not commonly seen in mobile apps, could provide further insights into the sophistication of the attackers behind the campaign. Notably, the malware appears to be primarily targeting users in Europe and Asia, suggesting that the threat actor may be fluent in Chinese.
What makes SparkCat particularly dangerous is its subtlety. There are no obvious malicious implants in the apps, and the permissions requested by the malware often appear harmless, making it difficult for users to recognize the threat. The malware’s use of OCR to scan users’ photo galleries, which may contain sensitive images like cryptocurrency recovery phrases, significantly increases the risk of financial loss. Additionally, the fact that the malware operates covertly means that users may remain unaware of the breach until their crypto wallets are emptied.
This incident highlights the importance of proper app vetting. Even though these malicious apps were available in official app stores, they still managed to bypass security measures and affect a significant number of users. Kaspersky’s findings are a stark reminder that users must be cautious when granting app permissions, especially when dealing with apps that request access to personal files or images. Additionally, users are advised to store sensitive information, such as cryptocurrency wallet recovery phrases, in encrypted note storage or password managers rather than in easily accessible formats like screenshots.
While both Apple and Google have yet to provide official statements regarding the SparkCat malware, it’s clear that the attack highlights the growing threat posed by sophisticated malware campaigns. It is important for users to stay vigilant, regularly review app permissions, and uninstall any potentially compromised apps to safeguard their personal data.
