A newly uncovered malware campaign is making waves by targeting cryptocurrency users on iOS and Android platforms. Security experts at Kaspersky have identified a malicious software development kit (SDK) named SparkCat that has been embedded in several apps across the Apple App Store and Google Play. This malware is designed to steal sensitive cryptocurrency wallet recovery phrases using optical character recognition (OCR) technology to scan screenshots stored on users’ devices.
SparkCat’s stealthy nature is concerning because it has bypassed stringent app store reviews, infecting apps that seemed utterly legitimate. One of the first infected apps discovered was a food delivery service called ComeCome, available in the UAE and Indonesia. Meanwhile, the Android versions of these infected apps have been downloaded over 242,000 times.
Sneaky malware with advanced capabilities
Unlike traditional malware that spreads through unofficial app stores, SparkCat infiltrated significant app stores. Once installed, it silently scans users’ photo galleries for wallet recovery phrases. This sensitive data is then uploaded to a command-and-control (C2) server controlled by attackers, enabling them to gain full access to crypto funds remotely.
The malware uses a custom protocol built in Rust, which is rarely seen in mobile apps, adding another layer of sophistication. Apps compromised by SparkCat include seemingly harmless ones, such as food delivery services and AI-powered messaging platforms. Researchers revealed that SparkCat has been active since at least March 2024, but Apple and Google have not disclosed the complete list of infected apps, leaving many users unaware of the threat on their devices.
What to do if you’re at risk
Apple and Google have removed most infected apps, but security experts caution that some might still be available through sideloading or other third-party sources. Taking action immediately is crucial if you suspect you’ve installed one of these apps. Deleting suspicious apps and thoroughly scanning your device can help mitigate the risk. Users are also advised to check their crypto wallets for any signs of unauthorized access.
To protect your assets, avoid storing recovery phrases in screenshots or photos, as attackers can easily extract this information using malware like SparkCat. If you believe your wallet has been compromised, transfer your funds to a new wallet with a fresh recovery phrase. However, only do so after ensuring your device is clean from malware. To minimize future risks, reset app permissions, clear cached data, and reinstall apps only from trusted sources.
Staying secure in a digital age
With advanced threats like SparkCat making their way into trusted app stores, staying vigilant is more critical than ever. Regularly updating your apps, using mobile security tools, and avoiding suspicious downloads can go a long way in keeping your crypto investments safe. As technology evolves, so do the methods used by attackers, making it essential to stay one step ahead in securing your digital assets.
