In a concerning revelation, Kaspersky’s Threat Research expertise center has uncovered a new data-stealing Trojan, named SparkCat, actively circulating on both the AppStore and Google Play since at least March 2024. This Trojan is particularly alarming because it represents the first known instance of optical recognition-based malware making its way into these prominent app stores.
SparkCat leverages machine learning to stealthily scan image galleries and steal critical data such as cryptocurrency wallet recovery phrases and other sensitive information found in photos, like passwords. Kaspersky has already reported the malicious apps to both Google and Apple, hoping to mitigate further damage.
How the New Malware Spreads
SparkCat is not your typical malware—it spreads through a variety of infected legitimate apps and lures, including messengers, AI assistants, food delivery apps, crypto-related apps, and more. While some of these apps are available on the official platforms (Google Play and AppStore), Kaspersky’s telemetry data also shows the malware is being distributed through unofficial sources. As of now, over 242,000 downloads of the infected apps have been recorded in Google Play alone.
Who is Being Targeted?
Based on both the operational areas of the infected apps and a technical analysis of the malware, it appears that users in the UAE, as well as in various European and Asian countries, are the primary targets. The Trojan scans image galleries for specific keywords in multiple languages, including Chinese, Japanese, Korean, English, Czech, French, Italian, Polish, and Portuguese. However, experts believe that victims from other countries might also be affected, given the widespread distribution of the malware.
A few examples of infected apps include the food delivery service ComeCome, which has versions for both iOS and Android. Additionally, some messenger apps from the AppStore are also reported to have been lures for the malware.
How SparkCat Works
Once installed, SparkCat requests access to view photos within the user’s smartphone gallery. It then activates an optical character recognition (OCR) module to analyze the text found within images. If the Trojan detects specific keywords related to cryptocurrency wallets or sensitive information, it sends the image to the attackers.
The primary goal of SparkCat is to steal recovery phrases for cryptocurrency wallets, which hackers can then use to seize control of a victim’s wallet and steal their funds. However, the Trojan is also capable of extracting other personal information from screenshots, such as messages, passwords, and more.
“This is the first known case of OCR-based Trojan to sneak into AppStore,” said Sergey Puzan, malware analyst at Kaspersky. “In terms of both AppStore and Google Play, at the moment it’s unclear whether applications in these stores were compromised through a supply chain attack or other methods.”
The Stealth Factor: Why SparkCat is Dangerous
SparkCat’s stealthiness is one of its most dangerous features. Since the malware operates without any obvious signs of infection, it can easily go unnoticed by both store moderators and mobile users. Additionally, the permissions requested by the infected apps seem perfectly reasonable. For example, accessing the gallery may appear essential for the app to function properly, especially when users are interacting with customer support. This makes users more likely to approve the request without suspicion.
Dmitry Kalinin, malware analyst at Kaspersky, adds: “The SparkCat campaign has some unique features that make it dangerous. The Trojan spreads through official app stores and operates without obvious signs of infection. The permissions it requests are easy to overlook, which further increases the risk.”
The Role of Machine Learning in SparkCat’s Attack
Cybercriminals are increasingly using neural networks in their attacks. In SparkCat’s case, the Android module utilizes the Google ML Kit library to decrypt and execute an OCR plugin that recognizes text in stored images. A similar method is used in the iOS version of the malware. These ML-powered attacks show how sophisticated cybercriminals have become in deploying machine learning techniques to enhance the effectiveness of their malicious tools.
How to Protect Yourself
Kaspersky’s solutions are currently protecting both Android and iOS users from SparkCat, detecting the Trojan as HEUR:Trojan.IphoneOS.SparkCat.* and HEUR:Trojan.AndroidOS.SparkCat.*. However, users should still take proactive measures to safeguard their personal data.
Here are some key safety tips to avoid falling victim to SparkCat:
- Remove infected apps: If you have installed any of the apps suspected of being infected, uninstall them immediately. Do not use them until updates are released to eliminate the malicious functionality.
- Avoid storing sensitive information in photos: Do not store screenshots containing sensitive information like cryptocurrency wallet recovery phrases in your gallery. Use specialized apps like Kaspersky Password Manager to store passwords securely.
- Use reliable cybersecurity software: Employ a trusted security solution, like Kaspersky Premium, to protect against malware infections and minimize the risks of attacks.
Conclusion
The discovery of SparkCat is a stark reminder of the growing risks of mobile malware. With cybercriminals increasingly leveraging advanced technologies like machine learning, it’s vital for users to remain vigilant and proactive in securing their devices. By following Kaspersky’s recommendations and keeping an eye on app permissions, users can reduce the chances of becoming a target of these sophisticated attacks.
For further details, you can explore the full report on this campaign at Securelist.