Security researchers at Kaspersky have discovered a malicious software development kit (SDK) embedded in Android and iOS apps available on Google Play and the Apple App Store.
This SDK is designed to steal cryptocurrency wallet recovery phrases using optical character recognition (OCR) technology, posing a major threat to crypto holders.
“SparkCat” Campaign Targeting Crypto Users
The attack, dubbed “SparkCat,” is named after “Spark,” one of the malicious SDK components found in infected apps. According to Kaspersky, many app developers likely integrated the SDK unknowingly. On Google Play alone, the infected apps were downloaded over 242,000 times.
Kaspersky explains:
“We found Android and iOS apps that had a malicious SDK/framework embedded to steal crypto wallet recovery phrases, some of which were available on Google Play and the App Store. This is the first known case of a stealer being found in the App Store.”
How the Malicious SDK Works
On Android, the malicious SDK includes a Java component called “Spark” disguised as an analytics module. It retrieves encrypted configuration files from GitLab to receive commands and updates.
On iOS, the framework appears under different names like “Gzip,” “googleappsdk,” and “stat.” It also includes a Rust-based networking module, “im_net_sys,” which communicates with the attackers’ command and control (C2) servers.
The malware uses Google ML Kit OCR to scan images on infected devices, searching for wallet recovery phrases stored as screenshots. It supports multiple languages, including Latin, Korean, Chinese, and Japanese. Once sensitive text is identified, the information is sent to a remote server, where the attackers can extract wallet recovery data and gain access without needing a password.
Infected Apps and User Precautions
Kaspersky identified 18 infected Android apps and 10 iOS apps, some of which are still available for download. One such app, “ChatAi”, had over 50,000 downloads before being removed from Google Play. A full list of affected apps is available in Kaspersky’s report.
If you have installed any of these apps, it is strongly recommended that you:
✅ Uninstall the app immediately
✅ Run a mobile antivirus scan to detect any leftover malware
✅ Consider a factory reset if you suspect further compromise
To protect your crypto assets, never store recovery phrases in screenshots. Instead, use secure offline methods such as:
- Physical copies stored securely
- Encrypted removable storage
- Self-hosted offline password managers
Both Apple and Google have been contacted for comments regarding the presence of these malicious apps, and updates will be provided as they respond.
