Malicious Apps on Google Play and Apple App Store Targeting Crypto Wallets

Recent findings reveal that several Android and iOS apps on the Google Play Store and Apple App Store have been found to contain a malicious software development kit (SDK) designed to steal cryptocurrency wallet recovery phrases using optical character recognition (OCR) technology. This operation, dubbed “SparkCat,” derives its name from a malicious component called “Spark” embedded in the affected apps. Developers of these apps likely did not know they were part of this scheme.

According to cybersecurity firm Kaspersky, over 242,000 downloads of the infected apps occurred on Google Play alone. This marks the first known instance of a stealer being detected in the App Store.

How the Malicious SDK Operates

The malicious SDK embedded in Android apps includes a Java component named “Spark,” masquerading as an analytics module. It employs an encrypted configuration file stored on GitLab, allowing it to receive commands and updates. For iOS apps, the framework appears under various names such as “Gzip,” “googleappsdk,” or “stat,” and it utilizes a Rust-based networking module called “im_net_sys” for communication with command and control (C2) servers.

The SDK utilizes Google ML Kit OCR to extract text from images on the device, specifically targeting recovery phrases that can access cryptocurrency wallets without the need for passwords. The malware identifies images containing sensitive information by searching for specific keywords in various languages, adapting its approach based on the user’s geographic location.

Affected Apps and Recommendations

Kaspersky identified 18 infected Android apps and 10 iOS apps, many of which remain available for download. One notable example is the Android app ChatAi, which had over 50,000 installations but has since been removed from Google Play.

If you have any of these potentially compromised apps installed, it is crucial to uninstall them immediately. Users are also advised to run a mobile antivirus scan for remnants of the malware and consider performing a factory reset of their devices.

To enhance security, storing cryptocurrency wallet recovery phrases in screenshots is strongly discouraged. Instead, it is recommended to keep them on physical offline media, encrypted removable storage devices, or within the vault of self-hosted, offline password managers.

For a complete list of the affected apps, refer to Kaspersky’s report.