"Malware Steals Crypto Wallets via App Pics: 242K Users at Risk"

Crypto Stealing Malware Discovered in Android and iOS App-Making Kits

Cybersecurity firm Kaspersky Labs has uncovered a malicious software development kit (SDK) used to create apps on Google’s Play Store and Apple’s App Store. This SDK contains malware that scans users’ pictures to find crypto wallet recovery phrases, enabling the theft of funds within.

Once the malware, dubbed SparkCat, infects a device, it searches for images using specific keywords in different languages through an optical character recognition (OCR) stealer. The intruders steal recovery phrases for crypto wallets, which are sufficient to gain full control over the victim’s wallet for further theft of funds. The malware is also capable of stealing other personal data from the gallery, such as message content or passwords captured in screenshots.

The malware has been active since at least March 2024 and has been downloaded an estimated 242,000 times, mainly targeting Android and iOS users in Europe and Asia. It is present in dozens of apps, both real and fake, across Google’s and Apple’s app stores, with the same features across them all, such as the use of the Rust language, which is rarely found in mobile applications, and cross-platform capability.

Kaspersky Labs found fake apps containing SparkCat on both the Google Play Store and Apple App Store. The origin of the malware is unclear, and it cannot be attributed to any known group. However, comments and error descriptions written in Chinese within the code suggest that the developer of the malicious module is fluent in Chinese.

Kaspersky’s analysts recommended not to store sensitive information in screenshots or a phone’s picture gallery and instead use a password manager. They also advised removing any suspect or infected apps.