SparkCat Crypto Stealer Malware Infected Multiple Apps on Play Store, App Store

Several apps on the App Store and Google Play store were found to be infected with a crypto stealer malware by security researchers at Kaspersky. These applications reportedly included a malicious software development kit (SDK) that was designed to use optical character recognition (OCR) to steal "crypto wallet recovery phrases" from screenshots stored on a user's smartphone. It's also worth noting that this is the first time that apps with cryptocurrency stealing malware have been detected on Apple's App Store.

SparkCat Infected Apps Detected Crypto Wallet Recovery Phrases Stored Using Screenshots

In a detailed technical report published on Thursday, the researchers said that at least 18 Android applications were infected with the malicious SparkCat SDK, while the malicious framework was found in 10 iOS apps on the App Store. The cumulative download count on Android smartphones was over 2.42 lakh, according to the researchers.

Two of the infected apps on the Play Store (left) and App Store
Photo Credit: Kaspersky

Some of the infected applications appeared to be legitimate, while others (specifically messaging apps equipped with AI features) were published in order to tempt users to download the compromised application, as per the report. Meanwhile, Kaspersky said that some of the infected Android apps were still available to download via the Play Store at the time of publishing its report.

However, the researchers say that they cannot confirm whether the apps were infected by the developers on purpose, or whether they were impacted by a supply chain attack. Apple and Google have yet to publicly comment on the detection of these apps on their respective app stores.

Once installed on a user's device, these malicious apps would use a OCR technology to detect and extract text from images stored on the handset. Once the app detects a recovery phrase for a cryptocurrency wallet, it would upload the picture to an Amazon cloud server and send a message to the attacker's server to notify them when a recovery phrase is detected.

While Google and Apple have removed most of the apps detected by Kaspersky, users who have downloaded them will need to manually uninstall these applications. Meanwhile, it's worth storing recovery phrases for crypto wallets and accounts in a password manager, or an application that stores encrypted notes. This is considerably safer than keeping screenshots that are easily accessible to apps that have been granted the 'storage' or 'camera roll' permission.