"SparkCat Malware: Stealing Crypto Keys on Android and iOS"

Kaspersky, a leading cybersecurity firm, has issued a warning about a new malware threat, SparkCat, which targets private keys on both Android and iOS devices. This malware has been active since March 2024 and has been downloaded over 200,000 times, affecting users across Europe and Asia.

SparkCat spreads through malicious software development kits (SDKs) embedded in seemingly harmless apps, including food delivery and AI-powered messaging apps, available on both Google Play and the App Store. It is the first known instance of an optical character recognition (OCR)-based stealer reaching Apple's platform.

The malware uses OCR technology to scan a victim's photo gallery, searching for crypto wallet recovery phrases hidden in screenshots or saved notes. It then uploads the image to an attacker-controlled server, either via Amazon cloud storage or a Rust-based protocol, making it difficult to track its activity due to encrypted data transfers and non-standard communication methods.

On Android, the malware is injected via a Java-based SDK called Spark, disguised as an analytics module. Once active, SparkCat uses Google ML Kit's OCR tool to scan the device's image gallery for specific keywords related to crypto wallet recovery phrases across multiple languages.

On iOS, SparkCat operates through a malicious framework embedded in infected apps, disguised under names like GZIP, googleappsdk, or stat. This framework integrates with Google ML Kit to extract text from images in the gallery. To avoid raising suspicion, the iOS version only requests gallery access when users perform specific actions, such as opening a support chat.

Kaspersky estimates that the malware has infected over 242,000 devices across Europe and Asia. While the exact origin remains unknown, embedded comments in the code and error messages suggest that the malware's developers are fluent in Chinese.

Researchers at Kaspersky urge users to avoid storing important information like seed phrases, private keys, and passwords within screenshots. This is not the first time bad actors have managed to bypass Google and Apple's store security measures, as seen in the September 2024 incident involving the "Clipper malware."

Private key theft has dealt serious damage to the crypto industry, being one of the main reasons behind some of its yet. Users are advised to remain vigilant and follow best practices to protect their sensitive