Kaspersky Threat Research expertise center has discovered a new data-stealing Trojan, SparkCat, active in AppStore and Google Play since at least March 2024. This is the first known instance of optical recognition-based malware appearing in AppStore. SparkCat uses machine learning to scan image galleries and steal screenshots containing cryptocurrency wallet recovery phrases. It can also find and extract other sensitive data in images, such as passwords.
Kaspersky has reported known malicious applications to Google and Apple.
How the new malware spreads
The malware is spreading through both infected legitimate apps and lures – messengers, AI assistants, food delivery, crypto-related apps, and more. Some of these apps are available on official platforms in Google Play and AppStore. Kaspersky telemetry data also shows that infected versions are being distributed through other unofficial sources. In Google Play, these apps have been downloaded over 242,000 times.
Who is being targeted
The malware primarily targets users in the UAE and countries in Europe and Asia. This is what experts concluded based on both the information about the operational areas of the infected apps and the technical analysis of the malware. SparkCat scans image galleries for keywords in multiple languages, including Chinese, Japanese, Korean, English, Czech, French, Italian, Polish, and Portuguese. However, experts believe victims could be from other countries as well.
For example, the food delivery app ComeCome for iOS was infected, just like its Android version.
How SparkCat works
Once installed, in certain scenarios the new malware requests access to view photos in a user’s smartphone gallery. It then analyzes the text in stored images using an optical character recognition (OCR) module. If the stealer detects relevant keywords, it sends the image to the attackers. The hackers’ primary goal is to find recovery phrases for cryptocurrency wallets. With this information, they can gain full control over a victim’s wallet and steal funds. Beyond stealing recovery phrases, the malware is capable of extracting other personal information from screenshots, such as messages and passwords.
“This is the first known case of OCR-based Trojan to sneak into AppStore,” said Sergey Puzan, malware analyst at Kaspersky. “In terms of both AppStore and Google Play, at the moment it’s unclear whether applications in these stores were compromised through a supply chain attack or through various other methods. Some apps, like food delivery services, appear legitimate, while others are clearly designed as lures.”
“The SparkCat campaign has some unique features that make it dangerous. First of all, it spreads through official app stores and operates without obvious signs of infection. The stealthiness of this Trojan makes it hard to discover it for both store moderators and mobile users. Also, the permissions it requests seem reasonable, making them easy to overlook. Access to the gallery that the malware attempts to reach may seem essential for the app to function properly, as it appears from the user perspective. This permission is typically requested in relevant contexts, such as when users contact customer support,” added Dmitry Kalinin, malware analyst at Kaspersky.
Analyzing Android versions of the malware, Kaspersky experts found comments in the code written in Chinese. Additionally, the iOS version contained developer home directory names, “qiongwu” and “quiwengjing”, suggesting that the threat actors behind the campaign are fluent in Chinese. However, there is not enough evidence to attribute the campaign to a known cybercriminal group.
ML-powered attacks
Cybercriminals are increasingly paying attention to neural networks in their nefarious tools. In the case of SparkCat, the Android module decrypts and executes an OCR-plugin using the Google ML Kit library to recognize text in stored images. A similar method was used in its iOS malicious module.
Kaspersky solutions protect both Android and iOS users from SparkCat. It is detected as HEUR:Trojan.IphoneOS.SparkCat.* and HEUR:Trojan.AndroidOS.SparkCat.*.
A full report on this malware campaign is available at Securelist.
To avoid becoming a victim of this malware, Kaspersky recommends the following safety measures:
● If you have installed one of the infected applications, remove it from your device and do not use it until an update has been released to eliminate the malicious functionality.
● Avoid storing screenshots containing sensitive information in your gallery, including cryptocurrency wallet recovery phrases. Passwords, for example, could be stored in specialized applications such as Kaspersky Password Manager.
● Reliable cybersecurity software, like Kaspersky Premium, can prevent malware infections.
