Kaspersky Labs has found malicious software on Google Play and Apple App Store platforms that steals crypto wallet recovery phrases.
Malicious Software SparkCat
Kaspersky analysts Sergey Puzan and Dmitry Kalinin report that once the malware called SparkCat infects a device, it searches for images using optical character recognition (OCR) stealer.
How the Malware Works
SparkCat steals recovery phrases for crypto wallets, which are enough to gain full control over the victim’s wallet for further theft of funds. The malware's flexibility allows it to also steal other personal data, such as message content or passwords, from screenshots. On Android, it uses a Java component called Spark, disguised as an analytics module.
Recommendations and Origin
Analysts recommend not storing sensitive information in phone galleries and using password managers. It's unclear if the affected apps were infected through a supply chain attack or intentionally by developers. Comments and error descriptions in Chinese were found within the code.
The SparkCat malware continues to pose a threat to Android and iOS users, highlighting the importance of security measures when using mobile apps.
