SparkCat Malware Steals Crypto Wallet Recovery Phrases from App Stores

Kaspersky researchers have uncovered a sophisticated malware campaign called SparkCat that targets cryptocurrency wallet users by stealing recovery phrases through infected apps on both Google Play Store and Apple App Store. The campaign, active since March 2024, leverages a malicious software development kit (SDK) with optical character recognition (OCR) capabilities to extract sensitive information from users' image galleries.

The malware operates by embedding itself in seemingly legitimate applications across multiple platforms, including food delivery, messaging, and AI-related apps. Researchers found that the infected apps on Google Play alone had been downloaded over 242,000 times, marking a significant breach of mobile app security.

On Android devices, the malicious SDK uses a Java component called "Spark" that disguises itself as an analytics module. It employs Google's ML Kit library to scan images for specific keywords related to cryptocurrency wallet recovery phrases in multiple languages, including Chinese, Japanese, Korean, and European languages.

The iOS version of the malware follows a similar approach, utilizing a framework with names like "Gzip" or "googleappsdk" to perform the same type of image scanning and data exfiltration. What makes this campaign particularly dangerous is its sophisticated communication method, using a Rust-based networking module to communicate with command and control (C2) servers.

Researchers noted that the malware's targeting appears focused on users in Europe and Asia, with keywords and dictionary matches tailored to specific regional languages. The attackers demonstrate a nuanced approach to stealing sensitive information, using multiple processing methods to ensure maximum effectiveness in extracting recovery phrases.

The campaign represents a significant threat to cryptocurrency users, as the stolen recovery phrases could potentially provide complete access to victims' crypto wallets. Kaspersky recommends several precautionary measures, including immediately uninstalling any suspected infected apps, avoiding storing sensitive screenshots in device galleries, and using robust security products.

Most concerningly, this is the first documented instance of such an OCR-based stealer being found in Apple's App Store, challenging the perception of iOS as an inherently more secure platform. The malware's ability to blend into legitimate-looking applications makes it particularly insidious.

Cryptocurrency users are advised to be extremely cautious when downloading apps, even from official stores, and to store recovery phrases in secure, offline methods. The SparkCat campaign serves as a stark reminder of the evolving sophisticated techniques used by cybercriminals to target digital asset holders.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: