SparkCat is a highly sophisticated piece of malware that targets both Android and iOS devices, with the specific aim of stealing sensitive information, particularly cryptocurrency wallet recovery phrases. The malware uses Optical Character Recognition (OCR) technology to scan and extract text from images in users photo libraries, allowing it to collect wallet recovery phrases and other sensitive data. SparkCat is primarily distributed through seemingly legitimate apps on the Apple App Store and Google Play Store, making it difficult to detect and avoid. This malware poses significant risks to digital asset security, particularly for users with cryptocurrency holdings.

‍

Technical Description

Background and Development:

The SparkCat campaign has been active since at least March 2024. It employs a malicious Software Development Kit (SDK) embedded within various applications distributed through both official app stores (Google Play and Apple’s App Store) and unofficial sources. This marks the first known instance of OCR-based malware infiltrating Apple’s App Store.

The infected applications span multiple categories, including artificial intelligence (AI) chat platforms, food delivery services and (Web3) related apps. Some of these apps appear legitimate, while others are designed specifically to lure victims. The Android version of the “ComeCome” food delivery app was among those compromised.

‍

Technical Analysis and Tactics:

Upon installation, SparkCat requests access to the user’s photo gallery, often under the impression of enabling features like customer support chat. Once granted, it utilizes Google’s ML Kit library to perform OCR on images stored in the gallery, searching for text related to cryptocurrency wallet recovery phrases. The malware supports multiple languages, including English, Chinese, Japanese, Korean, and various European languages, enhancing its ability to target a broad user base.

The malware’s architecture is notable for its use of the Rust programming language to implement a custom communication protocol with its command-and-control (C2) servers, a rarity in mobile malware development. This Rust-based module encrypts and transmits the extracted data to the attackers’ servers, often disguising the traffic to evade detection.

SparkCat employs advanced obfuscation techniques, such as disguising malicious frameworks as system packages and mimicking legitimate services in its C2 domains. These strategies enhance its stealth, making detection and analysis more challenging.

‍

Conclusion

SparkCat presents a serious cybersecurity threat to organizations by enabling financial theft, corporate espionage, compliance risks and supply chain attacks. Companies must adopt strong mobile security policies to prevent infections and protect critical business data.

‍

Impact

SparkCat is not just a threat to individual users. It also poses serious risks to organizations, especially those involved in cryptocurrency, finance, and mobile app development.

‍

Data Breaches & Financial Losses:

Organizations with employees who handle crypto wallets, financial transactions or sensitive client data are at risk.
If an infected employee stores wallet recovery phrases or confidential documents as images, SparkCat can exfiltrate this data which leads to massive financial and reputational damage.
Companies that manage or invest in cryptocurrencies could see their assets being stolen.

‍

Supply Chain Attacks on Mobile Applications:

SparkCat spreads through trojanized SDKs embedded in mobile applications.
If an organization develops or maintains mobile apps and unknowingly integrates a compromised SDK, it could inadvertently distribute malware to thousands (or millions) of users.
This could lead to regulatory scrutiny, lawsuits and app store bans.

‍

Corporate Espionage & Insider Threats:

Attackers could use SparkCat to steal corporate documents, credentials, and private communication if employees store them as images (screenshots of emails, financial statements, or client contracts).
This increases the risk of corporate espionage, where competitors or cybercriminals gain access to strategic business information.

‍

Compliance Violations & Regulatory Fines:

Organizations in sectors like banking, fintech, and crypto exchanges must comply with strict regulations (GDPR, CCPA, PCI-DSS).
A SparkCat-related data breach could lead to hefty fines, lawsuits and loss of operating licenses.
Firms that store customer financial data could face legal consequences if they fail to prevent such breaches.

‍

Disruption of Business Operations:

A company relying on mobile apps for customer interaction (fintech platforms, banking apps) could experience user distrust and mass uninstallations if its app is found to be distributing SparkCat.
If SparkCat spreads within an organization, IT security teams may need to quarantine and investigate multiple devices, causing downtime and loss of productivity.

‍

IOC and Context Details

Recommended Actions

‍

1. For Individual Users

• Uninstall Infected Apps – Remove any suspicious or unfamiliar apps, especially AI chat apps, food delivery apps, or Web3/crypto-related apps.
• Check App Permissions – Revoke unnecessary permissions, especially access to your photo gallery, storage, and clipboard.
• Do Not Store Recovery Phrases in Images – Avoid saving sensitive data (like crypto wallet seeds) as screenshots or photos in your device gallery.
• Enable Device Security Features – Use built-in security options like Google Play Protect (Android) or App Store integrity checks (iOS).
• Use Reputable Security Software – Install a trusted mobile security solution to detect and block potential threats.
• Keep Your OS & Apps Updated – Ensure all apps and the operating system are up to date to reduce vulnerabilities.
• Download Apps Only from Official Stores – Avoid third-party APK sites that may distribute trojanized apps.

‍

2. For Organizations & Enterprises

For Companies Managing Mobile Apps:

• Audit Third-Party SDKs – Carefully review and test any external SDKs before integrating them into mobile apps.
• Perform Code Signing & Integrity Checks – Ensure mobile apps are signed and verified before distribution.
• Monitor App Store Listings – Regularly check for unauthorized or tampered versions of your app.

‍

3. For Businesses Using Mobile Devices

• Implement Mobile Device Management (MDM) – Restrict employees from installing unauthorized applications.
• Educate Employees About Cyber Threats – Train staff on recognizing malware, phishing scams, and risky app behaviors.
• Regularly Scan Corporate Devices – Use mobile threat detection (MTD) solutions to scan and block malicious activity.
• Restrict Image-Based Data Storage – Implement policies that prohibit storing sensitive data in images/screenshots.

‍

‍

4. Incident Response if Compromised

If You Suspect an Infection:

• Disconnect from the Internet – Prevent further data exfiltration to C2 servers.
• Uninstall the Suspicious App – Remove any app that may be involved.
• Run a Security Scan – Use mobile antivirus software to check for threats.
• Change Crypto Wallets & Credentials – If crypto-related data was compromised, immediately transfer funds to a new secure wallet.
• Report the Incident – Notify the app store (Google Play/App Store) and cybersecurity teams if in a corporate setting.
• Monitor for Suspicious Transactions – Keep an eye on financial accounts and crypto wallets for unauthorized activity.

‍

References

https://www.kaspersky.com/blog/ios-android-ocr-stealer-sparkcat/52980/