Key Points
- Kaspersky identified SparkCat malware in apps on both Android and iOS, which has been active since March 2024.
- The malware uses OCR technology to scan photos for cryptocurrency wallet recovery phrases.
- Infected apps include ComeCome, AnyGPT, and WeTink. SparkCat has been downloaded over 242,000 times from Google Play and is also found in Apple’s App Store.
- Users should be cautious with app permissions and avoid storing sensitive information in screenshots.
Cybersecurity researchers from Kaspersky have identified a sophisticated malware campaign, dubbed SparkCat, that has been infiltrating apps on the Google Play Store and Apple’s App Store since at least March 2024. The malware is designed to steal sensitive data by scanning screenshots for cryptocurrency wallet recovery phrases using optical character recognition (OCR) technology.
Researchers Dmitry Kalinin and Sergey Puzan shared their findings, revealing that SparkCat operates stealthily, disguising itself within seemingly legitimate applications. Some infected apps, such as the food delivery service ComeCome and AI chatbot applications AnyGPT and WeTink, are still available for download. While some affected apps appear genuine, others may have been specifically created to lure victims.
The malware exploits harmless-looking permission requests to avoid raising suspicion. Once granted access, it scans the user’s photo library for images containing sensitive text, particularly recovery phrases for cryptocurrency wallets. If found, the malware extracts the information, posing a serious risk to cryptocurrency holders.
According to Kaspersky’s analysis, SparkCat-infected apps on Google Play have been downloaded over 242,000 times. More alarmingly, the malware has also been found in Apple’s App Store apps, marking the first known instance of an OCR-based spyware infection on Apple’s platform. This revelation challenges Apple’s claim of ironclad security and is a stark reminder that no platform is entirely immune to malware threats.
While it remains unclear whether the infection stems from a supply chain attack or deliberate malicious intent from developers, the existence of such threats highlights the increasing sophistication of cybercriminal tactics. Users are advised to be cautious when granting app permissions, regularly review installed applications, and avoid storing sensitive information in easily accessible locations, such as screenshots.
