What is SparkCat

SparkCat?

​In a significant cybersecurity development, a new malware campaign known as "SparkCat" has been identified, targeting both Android and iOS platforms. This malicious software infiltrates official app stores, marking the first instance of such a threat on Apple's App Store. SparkCat employs Optical Character Recognition (OCR) technology to extract sensitive information from users' photo galleries, posing a substantial risk to cryptocurrency enthusiasts and general users alike.​

Who is Behind SparkCat?

While the exact perpetrators remain unidentified, analysis suggests that the developers behind SparkCat are fluent in Chinese. This inference is based on code comments written in Chinese and certain developer directory names found within the iOS version of the malware. However, there is insufficient evidence to attribute this campaign to any known cybercriminal group. ​

Where and When Did SparkCat Emerge?

SparkCat has been active since at least March 2024, affecting users primarily in Europe and Asia. The malware was distributed through both official platforms—Google Play Store and Apple App Store—and unofficial app stores. Notably, this campaign represents the first known case of OCR-based malware infiltrating the App Store. ​

How Does SparkCat Operate?

Once installed, SparkCat-infected apps request permission to access the user's photo gallery. This request often appears legitimate, as the apps masquerade as services like food delivery, AI-powered messengers, or cryptocurrency utilities. Upon gaining access, the malware utilizes an OCR module, based on Google's ML Kit library, to scan images for sensitive text, such as cryptocurrency wallet recovery phrases. Identified data is then transmitted to the attackers' servers, enabling them to compromise victims' crypto wallets and other personal accounts.

Protecting Yourself from SparkCat

To safeguard against threats like SparkCat, consider the following measures:

• App Vigilance: Download apps only from reputable developers with a substantial number of positive reviews and a history of regular updates.​

• Permission Scrutiny: Be cautious when granting apps access to your photo gallery or other sensitive data, especially if the permission request seems unrelated to the app's primary function.​

• Secure Storage: Avoid storing sensitive information, such as passwords or recovery phrases, in your photo gallery. Instead, use dedicated and secure password management tools.​

• Regular Monitoring: Keep an eye on your financial accounts and digital wallets for any unauthorized activity.​

• Stay Updated: Ensure your device's operating system and applications are up to date, as updates often include security patches.​

By maintaining awareness and practicing prudent digital habits, users can significantly reduce the risk of falling victim to malware like SparkCat.​

Sources:

• Kaspersky Official Blog: SparkCat — first OCR trojan stealer to infiltrate the App Store

• The Hacker News: SparkCat Malware Uses OCR to Extract Crypto Wallet Recovery Phrases from Images

• Securelist: SparkCat crypto stealer in Google Play and App Store

• Kaspersky Press Release: Kaspersky discovers new crypto-stealing Trojan in AppStore and Google Play

• The Verge: iOS App Store apps with screenshot-reading malware found for the first time