First-Ever Crypto Wallet Stealer Discovered on the Apple App Store, 242,000+ Downloads on Google Play Store

Crypto-Stealing Apps Discovered on Apple App Store for the First Time

Security researchers at Kaspersky have uncovered a cryptocurrency-stealing campaign affecting both Android and iOS devices, marking the first known case of a stealer being found on the Apple App Store. The malicious apps were also distributed through the Google Play Store, where they were downloaded more than 242,000 times.

The campaign, named “SparkCat,” takes its name from a malicious SDK component called “Spark” embedded within infected applications. In many cases, the app developers are believed to have unknowingly included the harmful software development kit (SDK) in their apps.

How the Malware Works

The infected apps contain a malicious SDK designed to steal cryptocurrency wallet recovery phrases. These recovery phrases, also known as seed phrases, allow attackers to fully restore and access victims’ crypto wallets without needing their passwords.

The malware uses optical character recognition (OCR) technology to scan images stored on users’ devices. Specifically, it leverages OCR tools such as Google ML Kit to extract text from photos and screenshots. It then searches for recovery phrases using region-specific keywords in multiple languages.

Android Infection Details

On Android devices, the malicious SDK includes a Java component named “Spark,” disguised as a legitimate analytics module. It retrieves instructions from an encrypted configuration file hosted on GitLab. This file allows attackers to update commands and control the malware’s behavior remotely.

iOS Infection Details

On iOS, the malicious framework appears under different names, including “Gzip,” “googleappsdk,” and “stat.” It also incorporates a Rust-based networking module called “im_net_sys” to communicate with command-and-control (C2) servers.

After collecting device information, the malware sends it to a remote server via a specific API path. In response, it receives instructions that determine its next actions. The SDK dynamically loads OCR language models depending on the device’s system language, enabling it to recognize Latin, Korean, Chinese, and Japanese characters in images.

A Significant Milestone in Mobile Threats

According to Kaspersky, this is the first confirmed case of a stealer operating through the Apple App Store. The discovery highlights how malicious SDKs can infiltrate official app marketplaces and impact both Android and iOS users at scale.

The campaign demonstrates a growing threat to cryptocurrency holders, especially those who store wallet recovery phrases in screenshots or images on their devices.