Cybersecurity firm Kaspersky Labs has uncovered malware hidden in software development kits (SDKs) used to create apps for both Google’s Play Store and Apple’s App Store. This malware, named SparkCat, is designed to scan user photos for cryptocurrency wallet recovery phrases, enabling attackers to drain funds from victims’ wallets.
In a report released on February 4, Kaspersky analysts Sergey Puzan and Dmitry Kalinin detailed how SparkCat operates. Once installed on a device, the malware employs an optical character recognition (OCR) tool to search images for recovery phrases in multiple languages. These phrases provide full access to crypto wallets, allowing hackers to steal funds without additional authentication.
“The flexibility of the malware allows it to steal not only secret phrases but also other personal data from the gallery, such as the content of messages or passwords captured in screenshots,” the analysts noted.
How SparkCat Operates
On Android devices, the malware disguises itself as an analytics module within apps, using a Java component called Spark. It connects to an encrypted configuration file hosted on GitLab, which delivers commands and updates. The malware leverages Google’s ML Kit OCR to extract text from images, specifically looking for recovery phrases that can be used to access crypto wallets remotely.
SparkCat’s sophisticated design allows it to operate across platforms, affecting both Android and iOS users. The malware is difficult to detect due to its use of the Rust programming language, which is uncommon in mobile applications, and its heavy reliance on code obfuscation techniques.
Scope of the Infection
Kaspersky estimates that SparkCat has been downloaded approximately 242,000 times since it first appeared in March. The malware primarily targets users in Europe and Asia and has been found in dozens of apps—both legitimate and fake—on Google’s and Apple’s app stores. Despite the range of apps, the malicious features remain consistent across platforms.
Protecting Against SparkCat
Kaspersky recommends several steps to protect against this malware:
- Avoid storing sensitive information in photos or screenshots. Instead, use a password manager for secure storage.
- Regularly review and remove suspicious apps from your devices.
- Keep software and apps updated to ensure the latest security patches are applied.
“Users should be cautious about the apps they download, even from official app stores,” Kaspersky warned.
As SparkCat continues to spread, users are advised to remain vigilant and take extra precautions when managing sensitive data on their devices.
