TLDR
SparkCat malware has infected over 242,000 Android and iOS devices through legitimate-looking apps, using optical character recognition to steal crypto wallet keys from users’ photo galleries
The malware has been active since March 2024 and is distributed through infected software development kits (SDKs) in apps that were available on official app stores
This is the first known instance of an OCR-based crypto stealer reaching Apple’s iOS platform
The malware can scan images in multiple languages and sends stolen data to attacker-controlled servers via Amazon cloud storage or a Rust-based protocol
Code analysis suggests the malware developers are fluent in Chinese, though exact origin remains unknown
A sophisticated malware campaign named SparkCat has infected over 242,000 mobile devices across Europe and Asia, targeting cryptocurrency users through compromised applications on both Android and iOS platforms. Cybersecurity firm Kaspersky revealed these findings in a February 4 report, detailing how the malware uses optical character recognition technology to steal crypto wallet private keys.
The malware, active since March 2024, has successfully infiltrated both Google Play and Apple’s App Store through seemingly legitimate applications. These infected apps include popular categories such as food delivery services and AI-powered messaging platforms, demonstrating the attackers’ ability to bypass standard security measures.
SparkCat represents a technical milestone in malware development, as it marks the first known instance of an OCR-based cryptocurrency stealer successfully penetrating Apple’s iOS ecosystem. This breakthrough has raised concerns about the evolving sophistication of mobile-based crypto threats.
On Android devices, the malware operates through a Java-based SDK called Spark, which presents itself as an analytics module to avoid detection. Upon launching an infected app, the malware initiates contact with a remote GitLab repository to retrieve its configuration files.
The iOS version of SparkCat employs a different approach, utilizing a malicious framework that masquerades under various names such as GZIP, googleappsdk, or stat. This framework is written in Objective-C and uses sophisticated obfuscation techniques through HikariLLVM to avoid detection.
Both versions of the malware employ Google ML Kit’s OCR capabilities to scan through users’ photo galleries, searching for cryptocurrency wallet recovery phrases. The scanning functionality supports multiple languages, including English, Chinese, Korean, Japanese, and several European languages.
To maintain stealth on iOS devices, the malware only requests gallery access when users perform specific actions, such as opening a support chat. This selective approach helps the malware avoid raising suspicion through unnecessary permission requests.
Once SparkCat identifies potential cryptocurrency-related information in images, it uploads the data to attacker-controlled servers. The transmission occurs either through Amazon cloud storage services or via a custom Rust-based protocol, which complicates tracking efforts due to its use of encrypted data transfers and non-standard communication methods.
The malware’s capabilities extend beyond cryptocurrency theft. Kaspersky researchers noted that SparkCat’s flexibility allows it to capture other sensitive information, including message content and passwords that users might have saved in screenshots.
While the exact origin of SparkCat remains unknown, analysis of the malware’s code revealed embedded comments and error messages in Chinese, suggesting its developers are fluent in the language. However, researchers have not attributed the campaign to any specific group or region.
The SparkCat campaign follows a pattern of increasingly sophisticated attacks targeting the cryptocurrency community. In September 2024, crypto exchange Binance identified another threat called Clipper malware, which targeted users through unofficial mobile apps and plugins.
Kaspersky’s research team has issued specific recommendations to mobile users, particularly emphasizing the importance of avoiding storing sensitive information like seed phrases, private keys, and passwords in screenshots or photos on mobile devices.
The discovery of SparkCat adds to a growing list of security challenges facing the cryptocurrency industry. The malware’s success in infiltrating official app stores highlights the ongoing arms race between security measures and malicious actors in the mobile app ecosystem.
The scale of the infection, reaching over 242,000 devices, makes this one of the larger mobile malware campaigns targeting cryptocurrency users in recent months. The geographic spread across Europe and Asia suggests a well-coordinated distribution strategy by the attackers.
The post Kaspersky Uncovers Mobile Malware Targeting Crypto Users on iOS and Android appeared first on Blockonomi.
