A newly discovered malware has been causing havoc in the crypto community, with over 200,000 downloads of infected apps reported. The malware, known as SparkCat, targets both Android and iOS users by infiltrating popular mobile apps and stealing cryptocurrency wallet private keys. This alarming discovery was made by cybersecurity firm Kaspersky in a recent report.
SparkCat spreads through malicious software development kits hidden within seemingly harmless apps, such as food delivery and AI-powered messaging apps, which were available on Google Play and the App Store. The malware utilizes optical character recognition technology to scan through a victim’s photo gallery in search of crypto wallet recovery phrases hidden in screenshots or saved notes.
The operation of SparkCat differs slightly between Android and iOS devices. On Android, the malware is injected via a Java-based SDK called Spark, disguised as an analytics module. Once activated, Spark retrieves an encrypted configuration file from a remote GitLab repository and uses Google ML Kit’s OCR tool to scan the image gallery for specific keywords related to crypto wallet recovery phrases in various languages.
On the other hand, the iOS version of SparkCat operates through a malicious framework embedded in infected apps, under names like GZIP, googleappsdk, or stat. This framework, written in Objective-C and obfuscated with HikariLLVM, integrates with Google ML Kit to extract text from images in the gallery. To avoid detection, the iOS malware only requests gallery access when specific actions are performed by the user.
The extent of the infection caused by SparkCat is staggering, with over 242,000 devices across Europe and Asia estimated to be affected. While the exact origin of the malware remains unknown, clues within the code suggest that the developers may be fluent in Chinese.
To protect themselves from such threats, users are advised by Kaspersky researchers to refrain from storing sensitive information like seed phrases, private keys, and passwords within screenshots. It is crucial to remain vigilant and take necessary precautions to safeguard personal crypto assets.
This incident serves as a reminder of the persistent threat posed by sophisticated malware campaigns in the crypto space. Previous incidents, such as the “Clipper malware” flagged by Binance in September 2024, highlight the importance of staying informed and implementing robust security measures to mitigate risks of private key theft and financial losses within the industry.