Kaspersky’s Threat Research expertise center has identified a new data-stealing Trojan, SparkCat, active in both the AppStore and Google Play since at least March 2024. This marks the first known case of optical recognition-based malware infiltrating the AppStore, raising significant concerns for mobile security.
What is SparkCat?
SparkCat is a sophisticated malware designed to steal sensitive data from smartphone image galleries, primarily targeting cryptocurrency wallet recovery phrases. Leveraging machine learning algorithms and optical character recognition (OCR), it scans images for keywords and extracts critical information such as passwords and messages.
Kaspersky has reported the identified malicious applications to both Google and Apple, though the full extent of the breach remains under investigation.
How SparkCat Spreads
The Trojan spreads through:
- Infected Legitimate Apps: Some popular applications, including messengers, AI assistants, food delivery services, and crypto-related apps, have unknowingly harbored the malware.
- Malicious Lure Apps: Designed to trick users into downloading them.
- Unofficial Sources: Beyond official platforms, infected versions are circulating through third-party app stores.
Kaspersky’s telemetry data indicates that, in Google Play alone, these compromised apps have been downloaded over 242,000 times.
Targeted Regions
The malware primarily targets users in:
- United Arab Emirates (UAE)
- European Countries
- Asian Countries
SparkCat scans images for keywords in multiple languages, including:
- Chinese
- Japanese
- Korean
- English
- Czech
- French
- Italian
- Polish
- Portuguese
While these regions are the primary focus, experts believe that victims could emerge globally due to the wide reach of the infected applications.
Example of Infected App
One notable case is the food delivery app “ComeCome”, which was infected on both iOS and Android platforms.
How SparkCat Works
Upon installation, SparkCat:
- Requests Access to Photos: This permission seems legitimate, especially for apps that require image uploads or customer support interactions.
- Scans Images Using OCR: Employs an OCR module powered by machine learning to detect sensitive information.
- Extracts and Sends Data: Once it identifies relevant keywords (e.g., crypto recovery phrases), it transmits the images to attackers.
The malware focuses on cryptocurrency wallet recovery phrases, which grant hackers full control over wallets. It can also capture:
- Passwords
- Private Messages
- Sensitive Personal Data
Unique and Dangerous Features
- Stealth Operations: Operates without obvious signs, making it hard for both users and app store moderators to detect.
- Legitimate-Looking Permissions: Requests seem contextually appropriate, reducing suspicion.
- Global Reach: Found on official app stores, giving it a massive potential victim base.
Possible Origins
Kaspersky’s analysis revealed:
- Code Comments in Chinese in the Android version.
- Developer Home Directory Names like “qiongwu” and “quiwengjing” in the iOS version.
While these clues suggest that the threat actors are fluent in Chinese, there’s insufficient evidence to link the campaign to a specific cybercriminal group.
ML-Powered Attacks
SparkCat highlights a growing trend: cybercriminals leveraging machine learning in their tools.
- On Android, it uses the Google ML Kit library to decrypt and execute OCR functions.
- On iOS, it employs similar machine learning methods for text recognition.
Detection and Protection
Kaspersky has integrated protection against SparkCat into its security solutions:
- Detected as:
HEUR:Trojan.IphoneOS.SparkCat.*(iOS)HEUR:Trojan.AndroidOS.SparkCat.*(Android)
How to Protect Yourself
- Uninstall Infected Apps: If you suspect you’ve installed an infected app, remove it immediately.
- Avoid Storing Sensitive Screenshots: Do not save images containing sensitive data, such as crypto wallet recovery phrases or passwords.
- Use Password Managers
- Install Reliable Security Software:
- Regularly Update Apps: Ensure all apps are updated to their latest versions, as developers may patch vulnerabilities quickly after reports.
Discover more from Techish Kenya
Subscribe to get the latest posts sent to your email.
