Crypto-Stealing Malware Found in Mobile App Store SDKs, Warns Kaspersky

Kaspersky Labs has identified a sophisticated malware campaign targeting cryptocurrency users through malicious software development kits embedded in mobile apps available on Google Play and the Apple App Store. Named "SparkCat," this malware utilizes optical character recognition to scan users' photos for cryptocurrency wallet recovery phrases, which hackers then use to access and deplete affected wallets.

In a comprehensive report dated February 4, 2025, Kaspersky researchers Sergey Puzan and Dmitry Kalinin detailed how the SparkCat malware infiltrates devices and searches images for recovery phrases through multilingual keyword detection. Once these phrases are obtained, attackers gain unfettered access to victims' crypto wallets. The hackers thus achieve full control over the funds, as highlighted by the researchers.

Moreover, the malware is designed to steal additional sensitive information, such as passwords and private messages captured in screenshots. Specifically on Android devices, SparkCat masquerades as a Java-based analytics module called Spark. The malware receives operational updates from an encrypted configuration file on GitLab and uses Google's ML Kit OCR to extract text from images on infected devices. Detection of a recovery phrase results in the malware sending the information back to attackers, allowing them to import the victim's crypto wallet onto their devices.

Kaspersky estimates that since its emergence in March 2023, SparkCat has been downloaded around 242,000 times, predominantly impacting users in Europe and Asia.

In a separate but related report from mid-2024, Kaspersky has been monitoring another Android malware campaign involving deceptive APKs like Tria Stealer, which intercepts SMS messages and call logs, and steals Gmail data.

The presence of this malware spans numerous apps, some seemingly legitimate like food delivery services, and others designed to attract unwary users, such as AI-enabled messaging apps. Common features among these infected apps include the use of the Rust programming language, cross-platform capabilities, and sophisticated obfuscation methods to evade detection.

The origins of SparkCat remain unclear. The researchers have not ascribed the malware to any known hacking group but have noted Chinese-language comments and error messages within the code, suggesting fluency in Chinese by the developer. While it shares similarities with a campaign uncovered by ESET in March 2023, its precise source remains unidentified.

Kaspersky strongly advises users against storing sensitive information like crypto wallet recovery phrases in their photo galleries. Instead, they recommend employing password managers and regularly scanning for and eliminating suspicious applications.

The findings were originally reported on 99Bitcoins in the article titled "Malicious SDKs on Google Play and App Store Steal Crypto Seed Phrases: Kaspersky."