Kaspersky reveals a new attack targeting private keys on both Android and iOS devices, this malware has already infected over 242,000 devices by embedding itself in popular mobile apps, posing a severe risk to crypto users worldwide.
Kaspersky’s February 4 report highlights that SparkCat malware uses optical character recognition (OCR) to scan victims’ photo galleries, hunting for crypto wallet recovery phrases stored as screenshots or saved notes. This sophisticated attack puts thousands of cryptocurrency investors at risk, potentially leading to massive financial losses.
How the SparkCat Malware Threat Works
The SparkCat malware threat spreads through malicious software development kits (SDKs) embedded in seemingly harmless apps. These apps, ranging from food delivery services to AI-powered messaging platforms, were even available on Google Play and the App Store.
Kaspersky’s report highlights that SparkCat is the first-ever OCR-based malware to infiltrate Apple’s iOS ecosystem, marking a dangerous milestone in cybersecurity threats.
On Android, the SparkCat malware threat operates through a Java-based SDK called Spark, disguised as an analytics module. Once an infected app is launched, the malware retrieves an encrypted configuration file from a remote GitLab repository.
Once active, it:
Uses Google ML Kit’s OCR tool to scan the image gallery.
Searches for crypto-related keywords in multiple languages, including English, Chinese, Korean, and Japanese.
Uploads identified images to attacker-controlled servers via Amazon cloud storage or a Rust-based protocol.
These sophisticated techniques allow cybercriminals to steal sensitive information while making it difficult for security researchers to track their activities.
How SparkCat Malware Targets iOS Users
For iOS users, the SparkCat malware threat is even more stealthy. It operates through a malicious framework embedded in infected apps, hidden under names like:
GZIP
googleappsdk
stat
Written in Objective-C and obfuscated with HikariLLVM, this malware integrates with Google ML Kit to scan the user’s gallery for private key information.
Unlike its Android counterpart, the iOS version of SparkCat malware only requests gallery access when users perform specific actions, such as opening a support chat. This method minimizes suspicion while still allowing attackers to extract sensitive data.
Why the SparkCat Malware Threat Is So Dangerous
According to Kaspersky researchers, the flexibility of SparkCat malware allows it to steal more than just crypto private keys. It can also capture:
Sensitive messages
Passwords
Other private data stored in screenshots
This makes SparkCat malware an extremely dangerous cybersecurity threat, especially for crypto investors who store their wallet recovery phrases in their image gallery.
How Widespread Is the SparkCat Malware Threat?
The SparkCat malware threat has already affected over 242,000 users, primarily in Europe and Asia. While the exact origin of the malware remains unknown, Kaspersky researchers note that embedded code comments and error messages suggest the developers are fluent in Chinese.
The massive scale of this attack shows how cybercriminals are adapting to new security measures by using advanced techniques like OCR-based data extraction.
Expert Warnings and Industry Reactions
Cybersecurity experts are urging crypto users to take immediate precautions against the SparkCat malware threat.
Kaspersky’s Official Statement
“Users should avoid storing critical information like seed phrases, private keys, and passwords in screenshots or easily accessible files,” Kaspersky’s research team warns.
They also emphasize the importance of keeping mobile apps updated, as Google and Apple are actively removing infected applications.
Crypto Security Experts Weigh In
Blockchain security specialist Tom Robinson, co-founder of Elliptic, commented:
“We’ve seen a rise in sophisticated attacks targeting mobile users. The SparkCat malware threat is a wake-up call for crypto investors to enhance their security measures.”
Meanwhile, Binance’s cybersecurity team highlighted that OCR-based threats could become a new trend in crypto hacking.
“Malware developers are continuously finding ways to extract sensitive information. SparkCat is one of the most advanced we’ve seen infiltrate mobile ecosystems,” the team stated.
Lessons from Past Crypto Malware Attacks
The SparkCat malware threat is part of an ongoing trend of sophisticated cyberattacks targeting crypto users. In September 2024, Binance flagged the Clipper malware, which:
Replaced copied wallet addresses with attacker-controlled ones.
Infected devices via unofficial mobile apps and plugins.
Tricked users into transferring crypto to hacker wallets.
The crypto industry has suffered billions in losses due to private key theft, making the SparkCat malware another alarming reminder of the dangers of digital asset security.
How to Protect Yourself from the SparkCat Malware Threat
With the SparkCat malware threat posing a serious risk, crypto users should take the following security measures:
Never Store Private Keys in Screenshots:
Avoid saving crypto wallet recovery phrases in your photo gallery. Instead, use secure password managers or hardware wallets.
Be Cautious with Mobile Apps:
Only download apps from trusted developers, and check reviews and security reports before installing.
Regularly Update Security Software:
Keep your operating system, anti-malware tools, and security patches updated to protect against new threats.
Enable Two-Factor Authentication (2FA):
Use 2FA for all crypto accounts to add an extra layer of security against unauthorized access.
Monitor Your Crypto Wallets:
Regularly check for suspicious transactions and use real-time security alerts to detect any unauthorized access.
The Growing Risk of Crypto Malware
The SparkCat malware threat is one of the most sophisticated crypto-targeting cyberattacks seen in recent years. By infiltrating Android and iOS apps and using OCR-based attacks, cybercriminals are evolving their tactics to steal private keys and recovery phrases.
As the crypto space continues to grow, so do the risks of cyberattacks. Crypto investors must remain vigilant, update security measures, and avoid storing sensitive information in easily accessible formats.
With cybersecurity firms like Kaspersky actively tracking threats like SparkCat malware, the fight against crypto-targeted cybercrime is far from over. Get more from The Bit Gazette
