SparkCat: Multi-Platform Malware Spreading Through App Stores

Cybersecurity researchers from Kaspersky have uncovered a new malware campaign dubbed “SparkCat,” targeting both Android and iOS users through official app stores, including Google Play and the Apple App Store.

Kaspersky says that this marks the first instance of a stealer being found within Apple’s ecosystem, raising concerns over security vulnerabilities in mobile applications.

The malware, embedded within a malicious software development kit (SDK), was discovered in Android and iOS applications that had amassed over 242,000 downloads.

SparkCat primarily functions as an optical character recognition (OCR) stealer, scanning images in users’ device galleries to extract crypto wallet recovery phrases. This technique allows attackers to bypass traditional security measures and gain unauthorized access to victims’ digital assets.

ESET’s investigation traced SparkCat’s activity back to March 2024. The malware operates by utilizing an OCR plug-in built with Google’s ML Kit library to identify and extract sensitive text from images.

The stolen data is then sent to a command-and-control (C2) server using a communication protocol implemented in Rust—a programming language rarely used in mobile applications, further obfuscating its operations.

One of the infected apps, a food delivery service named “ComeCome,” was found on Google Play with over 10,000 downloads. TIn its version 2.0.0, the app secretly included harmful software called “Spark.”

Once installed, Spark connected to a GitLab repository to download hidden instructions, which it decoded and decrypted. If that failed, it used backup settings already built into the malware.

To steal data, the malware used strong encryption before sending it to a hacker-controlled server. It layered encryption methods, including AES-256, RSA keys, and compression, making it hard for security experts to track or crack the stolen information.

Infected apps prompted users to grant access to their photo galleries under the pretense of customer support interactions. If permission was granted, the malware actively searched for crypto-related keywords in multiple languages, including English, Chinese, and French, to identify valuable recovery phrases.

Security experts warn users to exercise caution when downloading apps, even from official sources, and to regularly audit app permissions to mitigate potential threats.

The discovery of SparkCat underscores the persistent risks posed by sophisticated malware campaigns within trusted digital marketplaces.