"Crypto Malware Steals Wallet Phrases via OCR in 242K Apps"

Crypto Malware Targets Android and iOS App Development Kits

Cybersecurity firm Kaspersky Labs has discovered malicious software development kits (SDKs) used to create apps on Google’s Play Store and Apple’s App Store. These SDKs contain malware that scans users’ pictures to find crypto wallet recovery phrases, allowing hackers to drain funds from victims’ wallets.

The malware, dubbed SparkCat, infects devices and uses optical character recognition (OCR) to search for specific keywords in different languages. Once the malware finds a recovery phrase, it steals it, giving hackers full control over the victim’s wallet. The malware is also capable of stealing other personal data from the gallery, such as message content or passwords captured in screenshots.

Kaspersky Labs estimates that the malware has been active since at least March 2024, with an estimated 242,000 downloads, mainly targeting Android and iOS users in Europe and Asia. The malware is present in dozens of apps, both real and fake, across Google’s and Apple’s app stores, and has the same features across all of them, such as the use of the rust language, which is rarely found in mobile applications, cross-platform capability, and obfuscation that makes analysis and detection difficult.

Kaspersky Labs found fake apps containing SparkCat on both the Google Play Store and Apple App Store. The analysts said it’s unclear if the affected apps were infected as a result of a supply chain attack or whether the developers intentionally embedded the Trojan in them. Some apps, such as food delivery services, appear legitimate, while others are clearly built to lure victims.

The origin of the malware is unclear, and it can’t be attributed to any known group. However, comments and error descriptions written in Chinese within the code give analysts reason to believe that the developer of the malicious module is fluent in Chinese. Google and Apple did not immediately respond to requests for comment.