"SparkCat Malware: Stealing Crypto Wallets on Google and Apple App Stores"

Cybersecurity firm Kaspersky has uncovered a malicious software development kit (SDK) used to create apps on both Google's Play Store and Apple's App Store. This SDK, dubbed SparkCat, is designed to steal cryptocurrency wallet recovery phrases from users' devices, allowing attackers to drain funds.

The malware, once it infects a device, uses an optical character recognition (OCR) sniffer to search images for specific keywords in different languages. This enables it to find recovery phrases for crypto wallets, which are sufficient to fully control the victim's wallet and steal funds. Additionally, the malware can steal other personal data from the photo gallery, such as message content or passwords captured in screenshots.

Kaspersky estimates that the malware has been active since at least March 2024, with an estimated 242,000 downloads, primarily targeting Android and iOS users in Europe and Asia. The malware is present in dozens of apps, both real and fake, across Google's and Apple's app stores, and has the same features across all of them, such as the use of the Rust language, which is rarely found in mobile applications, and cross-platform capability.

It remains unclear whether the affected apps were infected as a result of a supply chain attack or whether the developers intentionally embedded the Trojan in them. Some apps, such as food delivery services, appear legitimate, while others are clearly built to lure victims, such as similar "messaging apps" with AI features from the same developer.

The origin of the malware is also unclear, and it cannot be attributed to any known group. However, comments and error descriptions written in Chinese within the code suggest that the developer of the malicious module is fluent in Chinese. Google and Apple have not yet responded to requests for comment.