Newly discovered malware that has infiltrated popular mobile applications to steal private cryptocurrency portfolio keys has been downloaded more than 200,000 times.
Sparkcat, malicious software targeting users of Android and iOS, propagates through development kits of malware integrated into apparently harmless applications, warned the Kaspersky cybersecurity company in a February 4. report.
He uses the optical recognition of the characters, a technology that reads the text from images, to browse the photo gallery of a victim, the hunt for recovery of cryptographic wallet hidden in screenshots or notes recorded.
Malware has been active since March 2024, and some of these infected applications, including food delivery and messaging applications powered by AI, were available on Google Play and the App Store. It is also the first body known to an OCR thief reaching the Apple platform.
How does Sparkcat work?
On Android, malware is injected via an SDK based on Java called Spark, which disguises itself as an analysis module. When an infected application is launched, Spark recovers a encrypted configuration file from a remote Gitlab repository.
Once active, Sparkcat uses the OCR tool from Google ML Kit to scan the device image gallery. He is looking for specific keywords related to crypto portfolio recovery sentences in several languages, including English, Chinese, Korean, Japanese and several European languages.
The malware then downloads the image to an attacker controlled server, either via Amazon Cloud Storage, or a rust -based protocol, which adds an additional layer of complexity to monitoring its activity due to encrypted data transfers and non -standard communication methods.
On iOS, Sparkcat works through a malware integrated into infected applications, disguised by names like Gzip, Googleappsdk or Stat. This framework, written in Objective-C and obscured with Hikarillvm, fits into the Google ML kit to extract the text from the gallery images.
To avoid raising suspicion, the iOS version requires access to the gallery when users carry out specific actions, such as the opening of an assistance cat.
The report also warned that the “flexibility of malware” allows it to steal other sensitive data such as “content of messages or passwords that could remain on screenshots”.
Several risky users
Kaspersky believes that malware has infected more than 242,000 aircraft across Europe and Asia. Although the exact origin remains unknown, the comments integrated into the code and error messages suggest that the developers of the malware spoke fluent Chinese.
Kaspersky researchers urge users to avoid storing important information such as seed phrases, private keys and passwords in screenshots.
Sophisticated campaigns of malware remains a coherent threat in cryptographic space, and this is not the first time that bad players have managed to get around Google and the security measures of Apple stores.
In September 2024, Crypto Exchange Binance reported the “Malware clipper”, which infected devices via unofficial mobile applications and plugins and replaced the address of the victim’s copied portfolio with a controlled by the attacker for encourage to transfer the crypto to the bad destination.
Meanwhile, the private key flight has imposed serious damage to the cryptography industry, being one of the main reasons for some of its greatest losses to date.
