SparkCat malware steals cryptocurrency wallet recovery phrases, infecting 242K+ users. Learn how to protect your assets from this growing threat

Continue reading
A sophisticated malware campaign known as "SparkCat" has recently been uncovered, targeting Android and iOS apps on Google Play and the Apple App Store. The malicious software development kit (SDK) embedded within these applications is designed to steal cryptocurrency wallet recovery phrases, a move that could lead to devastating losses for unsuspecting users. With the rapid increase in cryptocurrency adoption, this alarming malware campaign highlights the need for heightened vigilance in app security and the safe handling of sensitive data.
The "SparkCat" campaign derives its name from a key component of the malware known as "Spark," which is part of the malicious SDK. The developers of the infected apps are likely unaware of the presence of the malware, making it harder to spot the threat until it’s too late. Kaspersky, a global cybersecurity firm, discovered that the infected apps on Google Play alone were downloaded over 242,000 times, indicating the massive reach and impact of the attack.
This malicious SDK operates by leveraging optical character recognition (OCR) technology to extract sensitive information from images stored on a user’s device. Specifically, the malware targets cryptocurrency wallet recovery phrases, which are used to restore access to wallets and their associated funds. If successful, attackers can use these recovery phrases to steal cryptocurrency from compromised wallets.
SparkCat malware uses the Google ML Kit OCR tool to extract text from images on the device. Depending on the system language, it loads different OCR models to detect text in various scripts, such as Latin, Korean, Chinese, and Japanese characters. Once activated, the SDK begins searching for images containing sensitive recovery phrases by looking for keywords in multiple languages.
These keywords vary depending on the region, with separate keyword sets for regions such as Europe and Asia, to improve the efficiency of the malware in detecting relevant images. When the malware locates a matching image, it sends the information to a remote command server, which in turn sends back instructions to regulate the further operation of the malware.
The true danger of this malware lies in its ability to identify wallet recovery phrases stored in screenshots or other image files. Many cryptocurrency users, often with limited security knowledge, make the mistake of storing their recovery phrases in digital formats such as screenshots or photos. The SparkCat malware is specifically designed to target these unprotected images and steal valuable information without alerting the user.
Kaspersky identified a total of 18 infected Android apps and 10 iOS apps as part of the SparkCat campaign. While some of these apps are no longer available on their respective app stores, many are still active, posing a risk to users who have not yet detected the infection. Among the infected apps, the Android ChatAi app was particularly notable, with over 50,000 installs before it was removed from Google Play. Although no definitive list of affected apps is available, users should remain cautious when installing new applications from lesser-known developers.
If you suspect that your device may be compromised, there are immediate steps you can take to safeguard your cryptocurrency and personal information. The first and most important action is to uninstall any suspicious apps from your device, especially those related to the SparkCat campaign. Next, it’s critical to run a mobile antivirus scan to check for any remaining traces of the malware.
For a more thorough approach, consider performing a factory reset on your device. While this will erase all data from your phone, it will also remove any lingering malware, offering you a clean slate.
Beyond immediate actions, there are long-term security practices every cryptocurrency user should adopt to protect their sensitive recovery phrases. It’s essential to never store recovery phrases in digital images or screenshots. Instead, use physical offline storage options, such as paper backups, hardware wallets, or encrypted removable storage devices, to secure your recovery phrases. Alternatively, you can store them in password managers with strong encryption that are offline or self-hosted.
The rise of SparkCat malware also underscores the critical importance of app vetting and security hygiene. Despite the Google Play Store and Apple App Store’s efforts to screen apps for malicious behavior, sophisticated SDKs like SparkCat can slip past these defenses. Users should exercise caution when installing apps, particularly those that request unnecessary permissions or come from unverified developers. A careful review of app permissions, along with reading user reviews and researching the developer's background, can help mitigate the risk of falling victim to such malware campaigns.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.