Crypto Security Warning: SparkCat Malware Scans Your Photos for Wallet Keys

• Using Google ML Kit for text extraction, SparkCat transmits stolen data via encrypted communication channels, making detection difficult.
• SparkCat’s unique attack methods include an Objective-C framework on iOS and a Java-based SDK on Android.

A new malware, SparkCat, according to a February 4 report by the cybersecurity company Kaspersky, has emerged as a challenge for both Android and iOS crypto users. The malware appeared embedded within other applications which seem to be harmless. Moreover, it gets the important details of a user from its mobile device by a sophisticated approach.

SparkCat Uses Optical Character Recognition for Thefts

SparkCat scans images kept in the gallery of a device for crypto wallet recovery phrases. It performs its scanning through Optical Character Recognition, a technology that captures text from images. Users who saved some screenshots and notes relating to the wallets are potential victims of a data compromise.

This malware started operating in March 2024, and infected applications including AI messaging apps and food ordering services on Google Play Store and the App Store run by Apple. Interestingly, it is the first time that this type of malware based on OCR steals cryptocurrency using Apple devices.

On Android, it spreads through an SDK called Spark, which is Java-based, masquerading as an analytics module and getting injected into apps. When the user launches the infected app, the malware will retrieve an encrypted configuration file from a remote GitLab repository.

Once activated, SparkCat uses Google ML Kit’s OCR functionality to scan images within the device’s gallery. It searches for keywords related to cryptocurrency wallet recovery phrases in multiple languages, including English, Chinese, Japanese, Korean, and several European languages, reported KasperSky. 

The malware sends images to an attacker-controlled server to exfiltrate stolen data. The transfer methods include the usage of Amazon cloud storage, along with Rust-based protocol. This makes it really difficult to track because it involves encrypted communication channels and data transmission techniques that are unusual.

iOS Compromise Through Malicious Framework

The iOS variant of SparkCat works differently as it embeds itself within compromised applications as a framework under various names like GZIP, googleappsdk, or stat. This malicious framework, written in Objective-C, is obfuscated using HikariLLVM and integrates Google ML Kit for image analysis of the device gallery.

Unlike the Android version, in iOS, the malware requests access to the photo gallery only when specific actions are performed by the users, such as opening a support chat within an infected app. This minimizes suspicion while allowing the malware to retrieve wallet-related information.

The report from Kaspersky claims that apart from recovery phrases, the malware is capable of stealing other sensitive data. This includes stored passwords and the contents of messages captured in screenshots. Security experts estimate that SparkCat has already compromised more than 242,000 devices, mainly based in Europe and Asia.

However, the origin of the malware is unknown. Based on code comments and error messages, it can be determined that the developers speak Chinese. Malware attacks on crypto users continue to escalate with cybercriminals repeatedly finding ways to bypass security measures imposed by app marketplaces.

In September 2024, Binance flagged Clipper malware, which replaced copied wallet addresses with attacker-controlled ones.  It leads victims to unknowingly send funds to fraudulent destinations. As we discussed, last year in 2024, investors lost over $3 billion in crypto scams and hacks.