A newly discovered malware, SparkCat, has been found in software development kits (SDKs) used to create apps for Google’s Play Store and Apple’s App Store, cybersecurity firm Kaspersky Labs reported. The malware scans images stored on infected devices to extract crypto wallet recovery phrases, potentially allowing attackers to steal funds.
How SparkCat Targets Crypto Wallets
Kaspersky analysts Sergey Puzan and Dmitry Kalinin revealed in a Feb. 4 report that SparkCat infects mobile devices and searches for crypto wallet recovery phrases stored in images. The malware uses optical character recognition (OCR) to scan pictures for specific words in multiple languages. Once it finds a recovery phrase, attackers can take complete control of the victim’s wallet and access their funds.
Beyond stealing crypto wallet information, the malware can also extract other sensitive data, such as passwords and private messages stored in a phone’s gallery. Kaspersky’s analysts warn that storing sensitive data in screenshots is risky and advise users to rely on a password manager instead.
Malware Disguised as Analytics Software
On Android devices, SparkCat hides inside a Java-based analytics module called Spark, which is embedded in various apps. It connects to an encrypted configuration file on GitLab, which issues commands and updates. The malware uses Google ML Kit OCR to scan images for text, allowing it to retrieve wallet recovery phrases and other private information.
The malware has been active since March 2023 and has already infected devices an estimated 242,000 times. Kaspersky reports that most victims are located in Europe and Asia.
The malware is found in dozens of apps across Google’s and Apple’s app stores, making detection challenging.
SparkCat Malware Spreads Across Multiple Apps
Kaspersky’s research indicates that infected apps share several common features. SparkCat is written in Rust, a programming language rarely used in mobile applications. The malware is also cross-platform, meaning it can target both Android and iOS devices. Additionally, it uses obfuscation techniques, making it difficult for security tools to detect.
Some compromised apps appear to be legitimate, including food delivery services. Others are designed specifically to deceive users, such as fake AI-powered messaging apps. Kaspersky has not determined whether these apps were deliberately created to spread malware or if developers unknowingly included the malicious SDK in their software.
You May Also Like: North Korean Hackers Deploy ‘Durian’ Malware, Targeting Crypto Firms
Possible Links to Chinese Developers
While the origin of SparkCat remains unclear, Kaspersky’s analysts found Chinese-language comments and error messages embedded in the malware’s code. This suggests that the malware developer may be fluent in Chinese. The researchers also noted similarities between SparkCat and a March 2023 malware campaign uncovered by cybersecurity firm ESET.
Kaspersky advises users to avoid storing sensitive information such as crypto wallet recovery phrases in their phone’s gallery. Instead, users should rely on password managers for secure storage. Additionally, users should delete any suspicious or unfamiliar apps that could be infected.
