A newly discovered malware campaign, dubbed SparkCat, is leveraging fake apps on both the Apple App Store and Google Play Store to steal sensitive cryptocurrency wallet recovery phrases from unsuspecting users. The malicious campaign, which has been active since March 2024, utilizes optical character recognition (OCR) technology to extract mnemonic phrases from images stored in victims' photo libraries and transmit them to a command-and-control (C2) server.
According to Kaspersky researchers Dmitry Kalinin and Sergey Puzan, the malware is embedded within a software development kit (SDK) that incorporates a Java-based Spark module, masquerading as an analytics tool. It remains unclear whether the infection resulted from a supply chain attack or was deliberately introduced by malicious developers.
Widespread Infiltration on Android and iOS
While OCR-based Android malware has been previously observed, SparkCat represents one of the first confirmed instances of such malware infiltrating Apple's App Store. The infected Android apps on Google Play reportedly amassed over 242,000 downloads, exposing a large number of users to cyber threats.
The malicious apps, disguised as AI applications, food delivery services, and Web3 tools, often offer legitimate functionalities to evade suspicion. However, once installed, the Android malware decrypts and executes an OCR plug-in built with Google's ML Kit library, scanning image galleries for specific keywords associated with wallet recovery phrases. Any matching images are then uploaded to the attackers' servers.
Similarly, the iOS version of SparkCat relies on Google’s ML Kit for OCR-based data extraction but also employs a Rust-based communication mechanism for interacting with its C2 server—a technique rarely seen in mobile malware.
Geographical Targeting and Attribution
Analysis of the keywords used in the attack and the regions where the apps were distributed suggests that the malware campaign primarily targets users in Europe and Asia. Researchers believe that the threat actor behind SparkCat is fluent in Chinese, indicating possible links to cybercrime groups operating in the region.
One of the most alarming aspects of SparkCat is its ability to operate stealthily, without raising red flags. "What makes this Trojan particularly dangerous is that there's no clear indication of a malicious implant within the app," researchers warned. "The permissions requested seem necessary for core functionality, making them appear harmless at first glance."
Related Cyber Threats: FatBoyPanel Malware Campaign
The emergence of SparkCat coincides with another significant malware operation: FatBoyPanel, a mobile banking Trojan targeting Android users in India. Detailed by Zimperium zLabs, this campaign involves the distribution of malicious APK files via WhatsApp, masquerading as legitimate banking and government applications.
Unlike conventional banking Trojans, FatBoyPanel relies on hardcoded phone numbers—over 1,000 unique numbers—to redirect SMS messages and OTPs, enabling attackers to hijack financial accounts. The malware has reportedly accumulated over 2.5GB of sensitive financial data, including bank details, credit card information, and government-issued IDs, primarily from users in West Bengal, Bihar, Jharkhand, Karnataka, and Madhya Pradesh.
Growing Cyber Threats Against Apple Users
The disclosure of SparkCat also aligns with an increasing trend of macOS-targeted malware. Security researcher Patrick Wardle has identified 24 new macOS malware families in 2024, up from 21 in 2023. These include dangerous information stealers such as Poseidon, Atomic, and Cthulhu, which specifically target macOS users.
According to Palo Alto Networks Unit 42, these macOS threats often leverage AppleScript, a built-in macOS automation framework, to execute stealthy social engineering attacks. This technique allows malware to mimic legitimate system prompts, deceiving users into granting unauthorized access.
Google and Apple Take Action
Following the exposure of SparkCat, both Google and Apple have removed the offending apps from their respective stores as of February 7, 2025. In a statement to The Hacker News, Google confirmed that Android users are automatically protected from known versions of this malware via Google Play Protect, which remains enabled by default on devices with Google Play Services.
Protecting Yourself from Mobile Malware
To stay safe from threats like SparkCat and FatBoyPanel, users should adopt the following security measures:
Verify App Authenticity: Always download apps from reputable developers and review user feedback before installation.
Limit App Permissions: Be cautious of apps requesting unnecessary permissions, especially access to photos and storage.
Use Security Software: Employ mobile security solutions that detect and block malware.
Regularly Update Software: Keep your device’s OS and applications up to date to patch vulnerabilities.
Avoid Clicking Suspicious Links: Be wary of app download links shared via WhatsApp, SMS, or email.
As mobile malware threats continue to evolve and grow, it is crucial for users to remain vigilant, adopt cyber hygiene best practices, and stay informed about emerging cybersecurity risks.