Emerging Malware ‘SparkCat’ Targets Cryptocurrency Users on App Stores
The emergence of malicious software development kits (SDKs) targeting users on both Google Play Store and Apple App Store has raised serious concerns within the cybersecurity community. According to a recent report released by Kaspersky Labs, a particular strain of malware known as SparkCat has been identified. This malware scans users’ images for recovery phrases related to cryptocurrency wallets, aiming to drain the funds contained within those wallets.
Once SparkCat infects a device, it employs an optical character recognition (OCR) stealer to search for images containing specific keywords across various languages. Recovery phrases extracted from these images provide attackers with complete control over victims’ cryptocurrency assets. Beyond targeting recovery phrases, SparkCat is also capable of accessing other sensitive personal data stored in the device’s gallery, including message content and passwords captured in screenshots.
Kaspersky experts recommend that users refrain from storing sensitive information in screenshots or photo galleries; instead, they advise opting for password managers to enhance security. Additionally, they emphasize the importance of uninstalling any suspicious or potentially infected applications.
On Android devices, SparkCat disguises itself as a Java component called Spark, masquerading as an analytics module while pulling operational commands from an encrypted configuration file on GitLab. The malware exploits Google’s ML Kit OCR technology to extract text from images, enabling hackers to load unwanted crypto wallets onto their devices without needing victims’ passwords.
Since its detection in March 2024, SparkCat has been downloaded approximately 242,000 times, predominantly affecting users in Europe and Asia. The malware has been found in both genuine and counterfeit applications across major app stores, utilizing rare programming languages and cross-platform capabilities that complicate its detection.
While the exact origin of SparkCat remains uncertain, Kaspersky researchers noted similarities to a prior campaign identified by ESET. The presence of comments in Chinese embedded in the code suggests that the developers may be proficient in the language, indicating a potential geographical origin for the threat.