A sophisticated malicious software campaign, nicknamed Sparkcat, infiltrated Google Play and Apple App Store, marking the first known instance of a cryptocurrency thief based on optical characters (OCR) on iOS.
According to the Kaspersky cybersecurity company, malware has been downloaded more than 242,000 times since its emergence in March 2024.
It targets sensitive sentences of recovery of cryptocurrency portfolio stored in images, constituting a significant threat to users across Europe, Asia and beyond.
How Sparkcat works
Sparkcat is integrated into malware development kits (SDK) integrated into apparently legitimate applications.
On Android, it works via an SDK based on Java called “Spark”, disguised as an analysis module.
For iOS, malware uses a malicious setting under alias like “Gzip” or “Googleappsdk”, written in Objective-C and Obscurci with Hikarillvm for stealth.
Malware uses the OCR technology of Google ML Kit to scan image galleries for critical mnemonic recovery sentences to access cryptocurrency wallets.
These sentences are extracted from screenshots or notes and uploaded to servers controlled by the attacker via encrypted channels, including storage of the Amazon cloud or a rust -based protocol.
To avoid detection, Sparkcat requests access to the gallery only during specific user actions, such as the launch of assistance cats.
This selective behavior minimizes suspicions while allowing malicious software to secretly perform its main function.
Generalized impact and technical sophistication
Infected applications cover various categories, including food delivery services, messaging platforms powered by AI and crypto-related tools.
Some applications seem legitimate, while others are designed to attract victims.
The multi -platus compatibility of the campaign and the use of rust programming language Rarer in mobile applications highlight its technical sophistication.
Kaspersky analysis revealed This Sparkcat selectively targets users according to keywords in several languages, including English, Chinese, Koreans, Japanese and European languages.
To alleviate the risk posed by Sparkcat:
- Immediately uninstall suspect applications and perform antivirus analyzes.
- Avoid storing sensitive information such as recovery sentences in screenshots or non -encrypted formats.
- Use secure offline storage solutions or hardware wallets for cryptocurrency keys.
- Regularly update software and avoid downloading applications from unofficial sources.
Google and Apple were informed of infected applications; However, some remain available for download.
Users must be cautious when granting authorizations to applications that require access to sensitive data.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
