Cyber Security News

Malicious Android & iOS Apps Downloaded Over 242,000 Times, Stealing Crypto Recovery Keys

A sophisticated malware campaign, dubbed SparkCat, has infiltrated Google Play and Apple’s App Store, marking the first known instance of an optical character recognition (OCR)-based cryptocurrency stealer on iOS.

According to cybersecurity firm Kaspersky, the malware has been downloaded over 242,000 times since its emergence in March 2024.

It targets sensitive cryptocurrency wallet recovery phrases stored in images, posing a significant threat to users across Europe, Asia, and beyond.

Android & iOS AppsAndroid & iOS Apps
Negative user feedback about ComeCome

How SparkCat Operates

SparkCat is embedded within malicious software development kits (SDKs) integrated into seemingly legitimate apps.

On Android, it operates via a Java-based SDK named “Spark,” disguised as an analytics module.

Android & iOS AppsAndroid & iOS Apps
Suspicious SDK being called

For iOS, the malware uses a malicious framework under aliases like “GZIP” or “googleappsdk,” written in Objective-C and obfuscated with HikariLLVM for stealth.

The malware employs Google ML Kit’s OCR technology to scan image galleries for recovery phrases mnemonics critical for accessing cryptocurrency wallets.

These phrases are extracted from screenshots or notes and uploaded to attacker-controlled servers via encrypted channels, including Amazon cloud storage or a Rust-based protocol.

To avoid detection, SparkCat requests gallery access only during specific user actions, such as initiating support chats.

This selective behavior minimizes suspicion while enabling the malware to execute its primary function covertly.

Widespread Impact and Technical Sophistication

The infected apps span various categories, including food delivery services, AI-powered messaging platforms, and crypto-related tools.

Some apps appear legitimate, while others are designed to lure victims.

The campaign’s cross-platform compatibility and use of the Rust programming language a rarity in mobile applications, highlight its technical sophistication.

Kaspersky’s analysis revealed that SparkCat selectively targets users based on keywords in multiple languages, including English, Chinese, Korean, Japanese, and European languages.

To mitigate the risk posed by SparkCat:

  • Uninstall suspicious apps immediately and run antivirus scans.
  • Avoid storing sensitive information like recovery phrases in screenshots or unencrypted formats.
  • Use secure offline storage solutions or hardware wallets for cryptocurrency keys.
  • Regularly update software and avoid downloading apps from unofficial sources.

Google and Apple have been notified about the infected apps; however, some remain available for download.

Users must exercise caution when granting permissions to apps that request access to sensitive data.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Fedora Linux Joins the Windows Subsystem for Linux Officially

Fedora Project has announced the official availability of Fedora Linux on the Windows Subsystem for…

12 minutes ago

Microsoft Launches “Copilot+ PC” for an Upgraded Windows Experience

Microsoft has announced a significant wave of new Windows experiences designed for Copilot+ PCs, which…

16 minutes ago

Nomad Bridge Hacker Apprehended in Connection with $190 Million Heist

Alexander Gurevich, a 47-year-old dual Russian-Israeli citizen, was arrested last Thursday at Ben-Gurion Airport while…

24 minutes ago

160-Year-Old Haulage Firm Falls After Cyber-Attack: Director Issues Urgent Warning

The 160-year-old haulage giant Knights of Old, once a stalwart of the UK’s logistics sector,…

29 minutes ago

SonicWall Unveils New Firewalls and Comprehensive Managed Cybersecurity Service

SonicWall has unveiled a new line of advanced firewalls and a comprehensive managed cybersecurity service…

34 minutes ago

China-Backed Hackers Target Exiled Uyghur Community with Malicious Software

Senior members of the World Uyghur Congress (WUC) living in exile were targeted with a…

38 minutes ago