Pierluigi Paganini
February 05, 2025
In March 2023, ESET found malware in modified versions of messengers using OCR to scan the victim’s gallery for images with recovery phrases to restore access to crypto wallets.
In late 2024, Kaspersky discovered a new malicious campaign, called SparkCat, where the attackers used similar tactics, but that targeted both Android and iOS users. The experts noted that the malware-laced apps were also distributed through official stores.
The experts discovered Android and iOS apps embedding malicious SDK/framework to steal crypto wallet recovery phrases. The malicious apps were downloaded more than 242,000 times from Google Play. Kaspersky states that this is the first known instance of a stealer being discovered in the App Store.
“The Android malware module decrypted and launched an OCR plugin based on the Google ML Kit library, which it used to recognize text in images in the device gallery. Using keywords received from C2, the Trojan sent images to the command server. The iOS malware module was similarly designed and also used the Google ML Kit library for OCR.” reads the report published by Kaspersky. “The malware, which we named SparkCat, used an unidentified protocol to communicate with C2, implemented in the Rust language, which is rare for mobile applications.”
The malicious SDK, disguised as an analytics module, uses a Java component called “Spark” on Android and a component in Rust on iOS called “Gzip,” “googleappsdk,” or “stat.” The component communicates with C2 servers and execute commands from an encrypted GitLab file.
The researchers determined that SparkCat has been active since March 2024 through the analysis of timestamps and the creation dates of configuration files in GitLab repositories.
The module uses Google ML Kit OCR to extract text from images, searching for cryptocurrency wallet recovery phrases in multiple languages. The malware loads different OCR models depending on the language of the victim to distinguish Latin, Korean, Chinese and Japanese characters in pictures
“The SDK then uploads device information to the command server at /api/e/d/u, and in response receives an object that regulates further operation of the malware.” continues the report. “We asked ourselves: what kind of images are the attackers interested in? To do this, we independently requested a list of keywords for OCR search from the command servers. In each case, we received words in Chinese, Japanese, Korean, English, Czech, French, Italian, Polish, and Portuguese. All of these words point to the attackers’ financial motivation: they are interested in phrases for restoring access to crypto wallets, known as mnemonics.”
This campaign targets Android and iOS users in Europe and Asia, using localized keywords and apps supporting multiple countries, including the UAE, Kazakhstan, China, Indonesia, Zimbabwe, and others.
“Unfortunately, despite strict moderation on official platforms, as well as the well-known scheme for stealing crypto wallets using OCR, infected applications still appeared in Google Play and the App Store.” concludes the report. “The Trojan is especially dangerous because nothing gives away the malicious implant inside the application: the permissions it requests can be used in the main functionality of the application or seem harmless at first glance, and the malware works quite stealthily. This case once again destroys the myth that the threats posed by malicious applications for Android are not relevant for iOS.”
The report includes indicators of compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, SparkCat)
