"SparkCat Malware: 242K Devices Compromised in Global Crypto Heist"

Kaspersky, a leading cybersecurity firm, has uncovered a sophisticated mobile malware campaign targeting cryptocurrency users on both iOS and Android platforms. The malware, dubbed SparkCat, has infected over 242,000 devices across Europe and Asia, demonstrating the evolving threat landscape for cryptocurrency enthusiasts.

The malware, active since March 2024, has successfully infiltrated both Google Play and Apple’s App Store through seemingly legitimate applications. These infected apps include popular categories such as food delivery services and AI-powered messaging platforms, highlighting the attackers’ ability to bypass standard security measures. SparkCat represents a technical milestone in malware development, as it marks the first known instance of an OCR-based cryptocurrency stealer successfully penetrating Apple’s iOS ecosystem.

SparkCat operates through a Java-based SDK called Spark on Android devices, which presents itself as an analytics module to avoid detection. Upon launching an infected app, the malware initiates contact with a remote GitLab repository to retrieve its configuration files. The iOS version of SparkCat employs a different approach, utilizing a malicious framework that masquerades under various names such as GZIP, googleappsdk, or stat. This framework is written in Objective-C and uses sophisticated obfuscation techniques through HikariLLVM to avoid detection.

Both versions of the malware employ Google ML Kit’s OCR capabilities to scan through users’ photo galleries, searching for cryptocurrency wallet recovery phrases. The scanning functionality supports multiple languages, including English, Chinese, Korean, Japanese, and several European languages. To maintain stealth on iOS devices, the malware only requests gallery access when users perform specific actions, such as opening a support chat, helping it avoid raising suspicion through unnecessary permission requests.

Once SparkCat identifies potential cryptocurrency-related information in images, it uploads the data to attacker-controlled servers. The transmission occurs either through Amazon cloud storage services or via a custom Rust-based protocol, which complicates tracking efforts due to its use of encrypted data transfers and non-standard communication methods. The malware’s capabilities extend beyond cryptocurrency theft, as it can capture other sensitive information, including message content and passwords that users might have saved in screenshots.

The exact origin of SparkCat remains unknown, but analysis of the malware’s code revealed embedded comments and error messages in Chinese, suggesting its developers are fluent in the language. However, researchers have not attributed the campaign to any