Over 242,000 Downloads: Malicious Android and iOS Apps Target Crypto Recovery Keys

A newly uncovered malware campaign, dubbed SparkCat, has infiltrated both Android and iOS ecosystems, targeting cryptocurrency wallet recovery keys through malicious apps.

Security researchers at Kaspersky have revealed that the malware leverages Optical Character Recognition (OCR) technology to scan images stored on devices for sensitive information, such as mnemonic phrases used to recover crypto wallets.

This malware has been downloaded over 242,000 times from Google Play alone and marks the first instance of such a stealer being found in Apple’s App Store.

Cross-Platform Threat with Advanced Capabilities

The SparkCat malware operates via malicious software development kits (SDKs) embedded in seemingly legitimate apps, including food delivery and AI-based messaging platforms.

On Android, the malware is introduced through a Java-based SDK called “Spark,” which masquerades as an analytics tool.

It retrieves encrypted configuration files from GitLab repositories and uses Google ML Kit’s OCR capabilities to scan device galleries for recovery phrases in multiple languages, including English, Chinese, Korean, and Japanese.

Android and iOS App
The config from GitLab being decrypted

Once identified, the targeted images are uploaded to attacker-controlled servers via encrypted communication channels.

On iOS, SparkCat employs a malicious framework disguised under names like “GZIP” or “googleappsdk.”

This framework integrates with Google ML Kit for text recognition and uses advanced obfuscation techniques to evade detection.

The malware activates its gallery-scanning functionality only under specific user actions, such as opening a support chat within the app, minimizing suspicion.

Widespread Impact

Since its emergence in March 2024, SparkCat has primarily targeted users in Europe and Asia but shows potential for broader reach.

The malware’s ability to process OCR results using localized dictionaries and keyword matching enhances its precision in identifying sensitive data.

Android and iOS Apps
A payload being decrypted

Kaspersky researchers also noted that the attackers utilized non-standard protocols implemented in Rust for data exfiltration, adding complexity to tracking their activities.

The campaign highlights a significant security lapse as infected apps managed to bypass vetting processes on both Google Play and Apple’s App Store.

While some apps appeared legitimate, others were designed specifically to lure victims.

This cross-platform attack demonstrates the growing sophistication of cybercriminals targeting cryptocurrency assets.

To mitigate risks posed by SparkCat:

  • Uninstall Infected Apps: Remove any suspicious apps immediately and avoid reinstalling them until verified updates are available.
  • Secure Sensitive Data: Avoid storing screenshots of crypto wallet recovery phrases in your device gallery. Use secure password managers or dedicated storage solutions.
  • Adopt Robust Security Measures: Install reliable antivirus software on all devices and regularly update operating systems and apps.

This incident underscores the importance of vigilance against emerging threats targeting digital assets.

Both users and app developers must prioritize security to prevent similar breaches in the future.

Also Read:

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here