Fact Checked by 
A new malware campaign is said to be specifically targeting crypto users on both iOS and Android. Security researchers at Kaspersky recently discovered a malicious software development kit, or SDK, called “SparkCat”.
The SDK has been secretly embedded in multiple apps available on both the Apple App Store and Google Play. The malware works by stealing sensitive cryptocurrency wallet recovery phrases. It does this by using optical character recognition (OCR) technology to scan and extract information from screenshots saved on a user’s device.
Unlike typical malware that spreads through unofficial app stores, SparkCat made its way into major app stores. Once installed, it quietly scans a user’s photo gallery, looking for wallet recovery phrases. If it finds anything useful, it uploads the data to a remote command-and-control (C2) server controlled by the attackers. This basically gives them full access to the victim’s crypto funds.
Our experts have discovered a new data-stealing Trojan, SparkCat, active in AppStore and Google Play since at least March 2024.
SparkCat leverages machine learning to scan image galleries, stealing cryptocurrency wallet recovery phrases, passwords, and other sensitive data… pic.twitter.com/78ssxHTlAM
— Kaspersky (@kaspersky) February 5, 2025
iOS and Android apps compromised by crypto-stealing malware
One of the first infected apps researchers found was a Chinese food delivery app called ComeCome, which was available in the UAE and Indonesia. Meanwhile, the Android versions of these compromised apps have already been downloaded more than 242,000 times.
The researchers wrote: “Judging by timestamps in malware files and creation dates of configuration files in GitLab repositories, SparkCat has been active since March 2024.”
They add that apart from ComeCome, a number of additional, unrelated apps covering a variety of subjects were also targeted. “We alerted Google to the presence of infected apps in its store,” they said.
SparkCat uses a custom protocol built in Rust, which is pretty unusual for mobile apps. A full list of the affected apps can be found at the end of Kaspersky’s report.
Most of the compromised apps have been removed from official stores, but security experts warn that some could still be floating around through sideloading or third-party sources. Last year, the app crypto-stealing app Yobit Pro raked in over $5 million before it was removed from the Play Store after three months.
If you think you might have installed one of these apps, it’s a good idea to delete anything suspicious and run a thorough security scan on your device. They recommend avoiding storing screenshots with sensitive information. Also, double-check your crypto wallets for any signs of unauthorized access, just to be safe.
ReadWrite has reached out to Apple and Google for comment.
Featured image: Canva
