A newly discovered malware infiltrating the popular mobile apps to steal the cryptocurrency wallet private keys has been downloaded more than 200,000 times.
A malware targeting both Sparkcat, Android, and iOS, spreads through malicious software development kits that appear to be embedded in harmless apps, cyber security firm Kasperki warns on 4 February. Report,
It uses optical character recognition, a technique that reads lessons from images, to scan through a victim’s photo gallery, is hidden in a hunting screenshot or saved notes for crypto wallet recovery phrases.
Malware has been active since March 2024, and some of these infected apps, including food delivery and AI-operated messaging apps, were available on Google Play and App Store. It is also the first known example of the OCR-based steeler who reaches the platform of Apple.
How does Sparkcat work?
On Android, malware is injected through a Java-based SDK called Spark, which dismisses itself as an analytics module. When an infected app is launched, the spark reinforces an encrypted configuration file from a remote gitlab repository.
Once active, the image of the sparkcat device uses the OCR tool of the Google ML kit to scan the gallery. It discovers a specific keywords related to crypto wallet recovery phrases in many languages including English, Chinese, Korean, Japanese and many European languages.
The malware then uploads the image to an attacker-controlled server, either through Amazon Cloud Storage or a rust-based protocol, which complicated a complication in tracking its activity due to encrypted data transfer and non-standard communication methods. Adds extra layer.
On iOS, the sparkcat is operated through a malicious structure embedded in infected apps, which is disguised under names such as Gzip, Googleappsdk or Stat. This framework written in objective-C objected with hycilVM, integrates with Google ML kit to extract text from images in the gallery.
To avoid increasing doubt, the iOS version only requests gallery access when users do specific functions, such as opening a support chat.
The report also warns that “flexibility of malware” allows it to remain on other sensitive data such as “messages or passwords such as screenshots,” to steal.
Many users at risk
Kasperki estimates that malware is infected with over 242,000 equipment across Europe and Asia. While accurate original remains unknown, embedded comments in code and error messages suggest that malware developers are fluent in Chinese.
Researchers at Kaspersky urge users to avoid storing important information like seed phrases, private keys and passwords within the screenshot.
The refined malware campaign Crypto remains a consistent threat within the space, and this is not the first time that bad actors have managed to bypass Google and Apple’s store security measures.
In September 2024, the Crypto Exchange Benance flagged off “Clipper Malware”, which infected the equipment through informal mobile apps and plugins and replaced the victim’s copied wallet address, which is accompanied by a controlled by the attacker Crypto was controlled to move to the wrong destination.
Meanwhile, private key theft has caused serious damage to the crypto industry, which is one of the main reasons behind some of its biggest disadvantages.
