Kaspersky Warns of Malware SparkCat Stealing Crypto Wallet Mnemonics

A recent report by Kaspersky Labs has revealed a sophisticated and widespread malware campaign targeting cryptocurrency users.

Dubbed SparkCat, this malicious software has infiltrated numerous applications on both the Google Play Store and Apple App Store, potentially affecting an estimated 242,000 devices since its emergence around March 2023.

The malware’s primary function is the surreptitious extraction of cryptocurrency wallet recovery phrases, enabling complete access to victims’ funds.

Kaspersky Labs Narrows Malware Operation

The mechanism employed by SparkCat is remarkably cunning. Researchers Sergey Puzan and Dmitry Kalinin detail how the malware, once installed, leverages optical character recognition (OCR) technology to scan images stored on the infected device.

Specifically, it searches for keywords associated with cryptocurrency recovery phrases in multiple languages, significantly broadening its reach and effectiveness. This OCR functionality is facilitated by Google’s ML Kit, integrated within a trust-based networking module. The extracted phrases are then transmitted to the attackers, granting them unfettered control over the victim’s cryptocurrency wallets.

Furthermore, beyond recovery phrases, SparkCat demonstrates versatility in its data harvesting capabilities. The malware is capable of stealing additional sensitive information from the device’s image gallery, including messages and passwords captured in screenshots.

The malware’s architecture is noteworthy for its complexity and cross-platform compatibility. On Android devices, SparkCat utilizes a Java component, cleverly disguised as an analytics module, alongside an encrypted configuration file hosted on GitLab.

This configuration file provides crucial commands and operational updates, enabling the malware to remain adaptable and difficult to detect. The use of the Rust programming language, uncommon in mobile applications, adds another layer of obfuscation, complicating analysis and detection efforts.

Kaspersky Investigation

The distribution of SparkCat is equally concerning. Kaspersky’s investigation suggests its presence in dozens of applications, ranging from seemingly legitimate services such as food delivery apps to more obviously suspicious applications, such as AI-powered messaging apps.

Notably, researchers are not sure if a supply chain attack or intentional inclusion caused the malware in the affected apps, but Chinese comments in the code suggest the developers’ origin.

The estimated 242,000 downloads represent a substantial number of potentially compromised devices, primarily affecting users in Europe and Asia. Kaspersky recommends immediate action, urging users to avoid storing sensitive information in image galleries, utilize password managers for enhanced security, and promptly remove any suspicious or infected applications.