Kaspersky Threat Research expertise centre has discovered a new data-stealing Trojan, SparkCat, active in AppStore and Google Play since at least March 2024.
This is the first known instance of optical recognition-based malware appearing in AppStore. SparkCat uses machine learning to scan image galleries and steal screenshots containing cryptocurrency wallet recovery phrases. It can also find and extract other sensitive data in images, such as passwords.
Kaspersky has reported known malicious applications to Google and Apple.
The malware is spreading through both infected legitimate apps and lures – messengers, AI assistants, food delivery, crypto-related apps, and more. Some of these apps are available on official platforms in Google Play and AppStore.
Kaspersky telemetry data also shows that infected versions are being distributed through other unofficial sources. In Google Play, these apps have been downloaded over 242 000 times.
The malware primarily targets users in the UAE and countries in Europe and Asia. This is what experts concluded based on both the information about the operational areas of the infected apps and the technical analysis of the malware.
SparkCat scans image galleries for keywords in multiple languages, including Chinese, Japanese, Korean, English, Czech, French, Italian, Polish, and Portuguese. However, experts believe victims could be from other countries as well.
Once installed, in certain scenarios the new malware requests access to view photos in a user’s smartphone gallery. It then analyses the text in stored images using an optical character recognition (OCR) module. If the stealer detects relevant keywords, it sends the image to the attackers.
The hackers’ primary goal is to find recovery phrases for cryptocurrency wallets. With this information, they can gain full control over a victim’s wallet and steal funds. Beyond stealing recovery phrases, the malware is capable of extracting other personal information from screenshots, such as messages and passwords.
“This is the first known case of OCR-based Trojan to sneak into AppStore,” says Sergey Puzan, malware analyst at Kaspersky. “In terms of both AppStore and Google Play, at the moment it’s unclear whether applications in these stores were compromised through a supply chain attack or through various other methods. Some apps, like food delivery services, appear legitimate, while others are clearly designed as lures.”
Dmitry Kalinin, malware analyst at Kaspersky, adds: “The SparkCat campaign has some unique features that make it dangerous. First of all, it spreads through official app stores and operates without obvious signs of infection. The stealthiness of this Trojan makes it hard to discover it for both store moderators and mobile users. Also, the permissions it requests seem reasonable, making them easy to overlook.
“Access to the gallery that the malware attempts to reach may seem essential for the app to function properly, as it appears from the user perspective. This permission is typically requested in relevant contexts, such as when users contact customer support.”
Analysing Android versions of the malware, Kaspersky experts found comments in the code written in Chinese. Additionally, the iOS version contained developer home directory names, “qiongwu” and “quiwengjing”, suggesting that the threat actors behind the campaign are fluent in Chinese.
However, there is not enough evidence to attribute the campaign to a known cybercriminal group.
Cybercriminals are increasingly paying attention to neural networks in their nefarious tools. In the case of SparkCat, the Android module decrypts and executes an OCR-plugin using the Google ML Kit library to recognise text in stored images. A similar method was used in its iOS malicious module.