SparkCat Malware Poses Security Threat to Play Store and App Store Users

A recent investigation by Kaspersky has uncovered a serious cybersecurity risk affecting both Apple iOS and Google Android users. Several apps available on the Google Play Store and Apple App Store have been found to contain a malicious software development kit (SDK) known as SparkCat.

This harmful SDK is designed to steal cryptocurrency wallet recovery phrases by using Optical Character Recognition (OCR) technology. By extracting sensitive information, SparkCat poses a significant threat to crypto users, potentially leading to financial losses.

Hundreds of thousands of consumers have already been impacted by the promotion, with over 242,000 downloads registered on the Google Play Store alone.

There is a difference in how the malicious SDK functions on iOS and Android devices. On Android, it makes use of Spark, a Java component that acts as an analytics module. This part gets encrypted configuration files from GitLab that have orders and updates for the malware. The framework employs a networking module named im_net_sys, which is built on Rust, to interface with C2 servers on iOS. It goes by other names on the platform, including Gzip, googleappsdk, and Stat.

How the Malware Steals Crypto Wallets?

SparkCat scans user-posted images for Bitcoin wallet recovery phrases. These phrases are often stored as screenshots or photos for easy access.

• The malware uses Google ML Kit OCR to detect Latin, Korean, Chinese, and Japanese keywords.
• Once a recovery phrase is found, it is sent to the attacker’s server, allowing them to access the victim’s cryptocurrency without needing a password.

According to Kaspersky’s research, the malware uses different keywords and targeting tactics for different regions, such as Europe and Asia. Nevertheless, the researchers are quick to point out that the apps might still work in locations where they weren’t intended, which could put more people at risk.

There have been 18 confirmed cases of malware in Android apps and 10 in iOS apps. If you want to see which apps were impacted, you can check out Kaspersky’s report here. As an example, consider the Android software ChatAi, which was withdrawn from the Google Play Store after more than 50,000 downloads. Many other infected apps are still available on both platforms, which is stressful.

You need to remove the malicious apps right away if you think you’ve installed any of them. You should also run a scan with a trustworthy mobile antivirus program to check for any remaining viruses, as advised by experts. It may be required to do a factory reset in extreme circumstances to guarantee full removal. Another option for extra protection is to use a self-hosted, offline password manager that has vault features.