A newly discovered malware hidden inside app development kits is targeting Android and iOS users by scanning stored images for crypto wallet recovery phrases, according to cybersecurity company Kaspersky Labs.
The malware, known as SparkCat, is embedded in software tools used to build apps for Google Play and the Apple App Store. Once installed, it searches for specific text in images, including wallet backup phrases, using optical character recognition (OCR).
“The intruders steal recovery phrases for crypto wallets, which are enough to gain full control over the victim’s wallet for further theft of funds,” wrote Kaspersky researchers Sergey Puzan and Dmitry Kalinin in a February 5 report.
Did you know?
Subscribe - We publish new crypto explainer videos every week!
What Is Chia? | Crypto Finally Explained
SparkCat uses a Java-based component named Spark, which appears to be an analytics tool. It receives commands and updates from an encrypted file hosted on GitLab.
The malware then connects to Google ML Kit’s OCR feature, which scans images on the device for key phrases linked to crypto wallets. Once a phrase is found, attackers can access the wallet without needing the owner’s password.
Kaspersky estimates that SparkCat has been downloaded about 242,000 times since it first appeared in March 2024. It has mainly affected users in Europe and Asia, spreading through real and fake applications on major app stores.
Puzan and Kalinin noted:
Some apps, such as food delivery services, appear legitimate, while others are clearly built to lure victims — for example, we have seen several similar ‘messaging apps’ with AI features from the same developer.
Meanwhile, macOS malware recently gained traction, with reports warning of serious risks to millions of users. What is it? Read the full story.
