A newly identified malware operation, SparkCat, has infiltrated both Apple’s App Store and Google Play via a network of counterfeit applications, aiming to siphon victims’ cryptocurrency wallet mnemonic phrases.
Researchers Dmitry Kalinin and Sergey Puzan from Kaspersky revealed that the campaign employs optical character recognition (OCR) to detect and extract recovery phrases embedded within images stored in victims’ photo libraries, subsequently relaying the data to a command-and-control (C2) server.
The malware derives its name from an embedded software development kit (SDK) that utilizes a Java-based Spark component, which masquerades as an innocuous analytics tool. Whether its propagation stems from a supply chain compromise or was deliberately introduced by its developers remains uncertain.
While Android malware leveraging OCR has surfaced before, this incident marks one of the first instances of such an infostealer making its way into Apple’s tightly curated App Store. The infected apps on Google Play alone have reportedly accumulated over 242,000 downloads.
Deceptive Distribution and Attack Methodology
Operational since March 2024, the SparkCat campaign disseminates its malware through both official and unofficial app marketplaces. These applications disguise themselves as artificial intelligence (AI) tools, food delivery services, and Web3 utilities, some of which possess seemingly legitimate features to maintain credibility.
“The Android variant of the malware decrypts and activates an OCR plug-in built with Google’s ML Kit library, scanning images within the device’s gallery for keywords dictated by the C2,” Kaspersky explained. “Any images matching the predefined criteria are promptly exfiltrated.”
Similarly, the iOS counterpart of SparkCat employs Google’s ML Kit OCR framework to scan for wallet-related mnemonic phrases. A distinct feature of this malware is its reliance on Rust-based communication mechanisms for interacting with C2 infrastructure—an uncommon approach in mobile malware development.
Primary Targets and Linguistic Indicators
Analysis of keywords and regional distribution suggests that the attack predominantly focuses on European and Asian users. The threat actor behind SparkCat is assessed to possess fluency in Chinese, further supporting theories regarding its origin.
“What makes this Trojan particularly insidious is its ability to operate covertly,” researchers warned. “The permissions it requests seem essential for core functionality, making its malicious intent far from obvious.”
Emerging Mobile Threats and Wider Cybercrime Trends
This revelation coincides with Zimperium zLabs’ disclosure of another Android malware campaign in India, wherein cybercriminals distribute malicious APK files via WhatsApp, disguised as banking or government applications. The objective is to harvest sensitive financial and personal data.
According to Zimperium, the campaign deploys over 1,000 counterfeit apps, using approximately 1,000 hardcoded phone numbers to reroute SMS messages and one-time passwords (OTPs) for exfiltration.
“Unlike traditional banking Trojans that depend solely on C2 servers to steal OTPs, this malware intercepts SMS traffic via live phone numbers, leaving a tangible forensic footprint for law enforcement to pursue,” said security researcher Aazim Yaswant.
Dubbed FatBoyPanel, this attack campaign has amassed 2.5 GB of confidential data, stored on Firebase endpoints accessible without authentication. Stolen information includes:
- Banking SMS logs from Indian financial institutions
- Credit and debit card credentials
- Government-issued identification details
- Sensitive records belonging to 50,000+ users, primarily from West Bengal, Bihar, Jharkhand, Karnataka, and Madhya Pradesh
A Cautionary Tale: The Need for Vigilance
These incidents underscore the importance of rigorous scrutiny when downloading applications, even from official sources. Users are urged to:
- Examine developer credentials and verify authenticity
- Analyze user reviews for red flags
- Restrict unnecessary app permissions
Meanwhile, the mobile cyber threat landscape continues to evolve, as evidenced by the emergence of 24 new malware families targeting macOS systems in 2024, a rise from 21 in 2023, according to researcher Patrick Wardle.
This trend parallels a surge in macOS-targeting information stealers, such as Poseidon, Atomic, and Cthulhu, designed to infiltrate the Apple ecosystem.
“Many of these macOS infostealers leverage the native AppleScript framework,” observed researchers from Palo Alto Networks Unit 42.
“This framework offers deep OS access while maintaining an intuitive, natural language syntax. Threat actors exploit this familiarity to craft deceptive prompts that closely resemble legitimate system notifications, thereby luring users into granting elevated privileges.”
As cybercriminals refine their tactics, both Android and iOS users must exercise increased vigilance, recognizing that even seemingly benign applications can serve as gateways for sophisticated cyber intrusions.
