“SparkCat” Malware Found in Google Play and Apple App Store

Researchers at Kaspersky have uncovered a sophisticated malware campaign dubbed SparkCat, which infects both Android and iOS applications to steal cryptocurrency wallet recovery phrases. The malware, embedded in apps available on Google Play and Apple's App Store, uses Optical Character Recognition (OCR) to scan image galleries for sensitive information. This marks the first time a stealer of this kind has been found in Apple's App Store.

The tactic was first documented by ESET researchers, who, in March 2023, identified malware-laced messaging app mods that scanned image galleries for crypto wallet recovery phrases. The attackers leveraged OCR models to identify relevant images and exfiltrate them to a command-and-control (C2) server. By late 2024, Kaspersky detected a similar attack targeting both Android and iOS users through official and third-party app stores, leading to the discovery of the SparkCat campaign.

Kaspersky found that malicious apps in Google Play had been downloaded more than 242,000 times. The Android malware module decrypted and executed an OCR plug-in built using Google's ML Kit library to scan image galleries for specific keywords. The iOS version functioned similarly, with the malicious framework written in Objective-C and obfuscated with HikariLLVM. Both versions relied on a custom Rust-based communication protocol to interact with the C2 servers, an uncommon approach in mobile malware development.

Among the infected apps was ComeCome, a food delivery service available in the UAE and Indonesia. The Android variant of ComeCome contained a malicious SDK named Spark, which downloaded its configuration from GitLab repositories. The SDK leveraged AES-256 encryption to communicate with its C2, obfuscating its activity. If access to the image gallery was granted — often under the guise of enabling customer support chat functionality — the malware would scan images for keywords related to crypto wallet recovery phrases and upload matching files to attacker-controlled servers.

Kaspersky also detected malicious iOS frameworks embedded in various apps, some appearing to be legitimate services while others were seemingly designed to lure victims. The SparkCat malware had a built-in capability to filter extracted OCR results using keyword matching, dictionary searches, and word length thresholds. It was designed to specifically target financial information, including recovery phrases in multiple languages such as English, Chinese, Japanese, Korean, and several European languages.

Regarding the exfiltration process, the malware extracted and encrypted images that matched specific keywords before transmitting them to the C2 server. On Android, the SDK requested access to the gallery whenever the user interacted with customer support, repeatedly prompting if denied. On iOS, the malware hijacked methods in legitimate app components to trigger data theft without raising suspicion. Extracted images were uploaded to an Amazon cloud storage bucket before their URLs were sent to the attackers' infrastructure.

Users are recommended to check the full list of apps in Kaspersky's report and uninstall them immediately. It is generally recommended to be cautious with app permissions and avoid granting unnecessary access to sensitive data, especially gallery and clipboard permissions. While Google and Apple take down harmful apps, users should verify app legitimacy before installation.