Français
Português
Indonesia
Tagalog
Malaysia
हिन्दी
বাংলা
中文 (中国)
Tiếng Việt
Kaspersky has raised an alarm over a newly discovered malware called SparkCat that targets private keys and cryptocurrency wallet recovery phrases on both Android and iOS devices. The malware has already been downloaded over 200,000 times and is spreading through apps that appear harmless but contain malicious software development kits (SDKs). These infected apps, such as food delivery and AI-powered messaging apps, are available on Google Play and the App Store.
How SparkCat Works: SparkCat is equipped with Optical Character Recognition (OCR) technology, which allows it to scan the victim’s photo gallery for crypto wallet recovery phrases. These phrases are often stored in screenshots or saved notes, and the malware hunts for specific keywords related to these phrases.
Here’s a breakdown of how the malware operates on both platforms:
- On Android: SparkCat is injected via a Java-based SDK called Spark, which masquerades as an analytics module. When an infected app is launched, Spark retrieves an encrypted configuration file from a remote GitLab repository. Afterward, it uses the Google ML Kit’s OCR tool to scan images in the device’s gallery for wallet recovery phrases across various languages, including English, Chinese, Korean, Japanese, and other European languages. The stolen data is then uploaded to an attacker-controlled server, typically using Amazon cloud storage or a Rust-based protocol, which encrypts the data and complicates detection.
- On iOS: The iOS version operates through a malicious framework embedded in apps, disguised under names like GZIP, googleappsdk, or stat. This framework integrates with the Google ML Kit to extract text from images in the gallery. To avoid suspicion, it only requests gallery access when users engage with specific actions, like opening a support chat.
Additional Risks: The malware’s flexibility means it could steal more than just crypto wallet information. It could also compromise passwords, messages, and other sensitive data stored in screenshots.
Geographical Impact: Kaspersky estimates that SparkCat has infected over 242,000 devices, mainly across Europe and Asia. While the exact origin remains unclear, embedded comments in the code suggest that the developers might be fluent in Chinese.
What Users Should Do: Kaspersky urges users to avoid storing important information like seed phrases, private keys, and passwords in screenshots. Users should also be cautious when downloading apps from unofficial sources, as malware campaigns targeting cryptocurrency users remain a serious threat.
This is not the first time the crypto community has faced such sophisticated attacks. In September 2024, Binance flagged Clipper malware, which replaced wallet addresses copied to the clipboard with addresses controlled by the attacker. Such threats have contributed to some of the most significant losses in the cryptocurrency space due to private key theft.
SparkCat highlights the ongoing risk posed by malicious actors in the crypto ecosystem. It’s essential for users to take extra precautions, such as avoiding the storage of sensitive information in easily accessible places like screenshots and to stay vigilant when using mobile apps.
