"SparkCat Malware: Stealing Crypto Wallets via Mobile Apps"

Researchers have uncovered a sophisticated malware campaign, dubbed "SparkCat," that targets cryptocurrency wallet recovery phrases through malicious mobile applications. The campaign, which has been active since late 2024, affects both Android and iOS devices, marking a significant shift from previous attacks that primarily targeted Android and Windows users through unofficial app sources.

The SparkCat campaign employs a malicious software development kit (SDK) embedded in modified messaging apps and other applications, which scans users' image galleries for sensitive recovery data. This technique was first observed in March 2023, but the latest iteration of the campaign has expanded its reach to include official and unofficial app marketplaces for both Android and iOS devices.

In one instance, a food delivery app called "ComeCome" on Google Play was found to include the malicious SDK. The infected apps have been collectively installed more than 242,000 times, and similar malware was later identified in apps available on Apple's App Store. The malware uses Google's ML Kit library to perform optical character recognition (OCR) on images stored on users' devices, allowing it to scan images for keywords that suggest the presence of mnemonic phrases in multiple languages.

Experts in the field have raised concerns about the preventative measures employed by app stores, which often rely on automated checks and rarely include manual reviews. Additionally, code obfuscation and malicious updates can introduce malware after an app has already been approved, making it difficult for security researchers and law enforcement to detect and address the issue.

Stephen Ajayi, dApp audit technical lead at crypto cybersecurity firm Hacken, and Slava Demchuk, CEO of blockchain analytics firm AMLBot, both highlighted the unusual nature of this attack vector and the potential for it to cause more damage if it becomes easier to replicate. They also offered advice to users, recommending that they think twice before granting permissions to applications and for wallet developers to find better ways of handling and displaying sensitive data like seed phrases.