Cybersecurity firm Kaspersky has uncovered a sophisticated malware campaign dubbed 'SparkCat' that has infiltrated both Apple's App Store and Google Play Store, putting cryptocurrency users at particular risk.
The malware, active since March 2024, employs advanced optical character recognition (OCR) technology to scan users' photo galleries for cryptocurrency wallet recovery phrases and other sensitive data. This marks the first known instance of OCR-based malware successfully penetrating Apple's App Store.
According to Kaspersky's findings, the infected Android apps on Google Play Store have already been downloaded over 242,000 times. Several malicious apps remain available on iOS, including AI chat tools WeTink and AnyGPT, and a food delivery app called ComeCome.
The malware spreads through both compromised legitimate apps and deceptive applications across various categories, including messaging, AI assistants, and food delivery services. Once installed, SparkCat requests gallery access and analyzes stored images using machine learning technology. When it detects relevant keywords, it transmits the images to the attackers' servers.
"The stealthiness of this Trojan makes it hard to discover for both store moderators and mobile users," notes Dmitry Kalinin, malware analyst at Kaspersky. "The permissions it requests seem reasonable, making them easy to overlook."
The campaign primarily targets users in the UAE, Europe, and Asia, with text recognition capabilities in multiple languages including Chinese, Japanese, Korean, English, Czech, French, Italian, Polish, and Portuguese.
While analysis revealed Chinese language elements in the code, researchers have not attributed the campaign to any specific cybercriminal group. The malware employs an unusual protocol written in Rust for communication with command-and-control servers.
To protect against SparkCat, users should:
- Remove any infected applications immediately
- Avoid storing screenshots with sensitive information in phone galleries
- Use dedicated password management tools for storing sensitive data
- Install reliable cybersecurity software
The discovery highlights ongoing security challenges in official app stores, with Google reporting it blocked over 2.3 million risky Android apps in 2024 alone.