Kaspersky researchers have identified a malware campaign, dubbed SparkCat, distributing malicious applications on both Android and iOS platforms since March 2024. This malware employs optical character recognition (OCR) to scan photo libraries for cryptocurrency wallet recovery phrases.
“Kaspersky Threat Research expertise center has discovered a new data-stealing Trojan, SparkCat, active in AppStore and Google Play since at least March 2024. This is the first known instance of optical recognition-based malware appearing in AppStore. SparkCat uses machine learning to scan image galleries and steal screenshots containing cryptocurrency wallet recovery phrases. It can also find and extract other sensitive data in images, such as passwords.”
-Kaspersky
Kaspersky identifies SparkCat malware targeting crypto wallets on iOS and Android
The investigation, conducted by Dmitry Kalinin and Sergey Puzan, noted that while some of the affected apps, like food delivery services, seem legitimate, others appear to deliberately deceive users. On February 6, Kaspersky confirmed that affected applications had been removed from the App Store, with Apple reporting the deletion of 11 apps that shared code with an additional 89 apps previously rejected or removed due to security concerns.
The malware was primarily found in an iOS app named ComeCome, which also appears on Google Play. According to Kaspersky, this app is designed to seize access to users’ cryptocurrency by capturing screenshots containing recovery phrases, also referred to as seed phrases. The malware operates by using a malicious software development kit (SDK) that decrypts an OCR plugin, which facilitates the scanning of mobile device screenshots.
Kaspersky highlighted that infected Google Play applications have been downloaded over 242,000 times. This incident marks the first discovery of an app infected with OCR spyware in Apple’s App Store, challenging the notion of the platform’s infallibility against malware threats.
Flexible-Ferret malware targets Mac users by doding XProtect measures
The malware not only targets crypto wallet recovery phrases but is also flexible enough to extract other sensitive information from the gallery, such as messages or passwords captured in screenshots. The researchers emphasized that the malware’s requests for permissions may appear benign or necessary, allowing it to evade detection.
The SparkCat malware campaign is estimated to target Android and iOS users mainly in Europe and Asia. Kaspersky noted that the exact method of infection is still under investigation, as they cannot confirm whether SparkCat was introduced through a supply chain attack or malicious developer actions.
In related findings, Spark encompasses an obfuscated module identified as Spark, primarily written in Java, which communicates with a remote command-and-control (C2) server via a Rust-based protocol. Upon connecting to the C2 server, the malware utilizes Google’s ML Kit library’s TextRecognizer interface to extract text from images.
Additional analysis revealed that the malware’s deceitful nature allows it to mislead users into granting access to their photo libraries after they capture screenshots of recovery phrases. Kaspersky’s detailed report stated that “the permissions that it requests may look like they are needed for its core functionality or appear harmless at first glance.”
Featured image credit: Kerem Gülen/Ideogram
