Kaspersky researchers have detailed a cross‐platform malware campaign that targets cryptocy wallet recovery phrases through malicious mobile apps. According to a recent report, the “SparkCat” campaign uses a malicious software development kit (SDK) embedded in modified messaging apps and other applications to scan users’ image galleries for sensitive recovery data. This technique was first observed in March 2023.
At the time, cybersecurity researchers observed malware features within messaging apps scanning user galleries for crypto wallet recovery phrases—commonly known as mnemonics—to send to remote servers. The initial campaign only affected Android and Windows users through unofficial app sources, the researchers said. This is not true for SparkCat, which was discovered in late 2024. This new campaign employs an SDK framework integrated into various apps available on official and unofficial app marketplaces for Android and iOS devices.
In one instance, a food delivery app called “ComeCome” on Google Play was found to include the malicious SDK. The infected apps have been collectively installed more than 242,000 times, and similar malware was later identified in apps available on Apple’s App Store. Stephen Ajayi, dApp audit technical lead at crypto cybersecurity firm Hacken, told Decrypt that preventative measures employed by app stores usually amount to automated checks and rarely include manual reviews.
Slava Demchuk, CEO of blockchain analytics firm AMLBot, further highlighted that the problem is compounded by code obfuscation and malicious updates that introduce malware after an app has already been approved. “In SparkCat’s case, attackers obfuscated the entry point to hide their actions from security researchers and law enforcement,” he told Decrypt. “This tactic helps them evade detection while keeping their methods secret from competitors.”
The malware uses Google’s ML Kit library to perform optical character recognition (OCR) on images stored on users’ devices. When users access a support chat feature within the app, the SDK requests prompts them with a permission request to read the image gallery. If permission is granted, the application scans the images for keywords that suggest mnemonic presence in multiple languages. Matching images are then encrypted and transmitted to a remote server.
Demchuk noted that “this attack vector is pretty unusual—I’ve mostly seen similar tactics in ATM fraud, where attackers steal PIN codes.” He added that pulling off such an attack requires a good level of technical prowess, and if the process became simpler to replicate then it could cause a lot more damage. “If experienced fraudsters start selling ready-made scripts, this method could spread fast,” he said.
Ajayi agreed, noting that “OCR to scan is such a clever trick,” but he believes that there is still space for improvement. “Imagine the combination of OCR and AI to automatically pick out sensitive information from images or screens.” As advice to users, Demchuk recommended thinking twice before granting permissions to applications. Ajayi also suggests that wallet developers “should find better ways of handling and displaying sensitive data like seed phrases.”
The crypto market is entering the end of an era as CME Group officially launches 24/7 Bitcoin and…
Asset management giant VanEck has officially launched the first-ever U.S. spot ETF tied directly to BNB, the native…
Layer-1 blockchain Sui experienced another major network outage on May 28 after block production and transaction processing…
The Depository Trust & Clearing Corporation (DTCC) has announced plans to connect its tokenization infrastructure to the Stellar blockchain,…
Robinhood is officially entering the “agentic AI” era after unveiling a new beta feature that…
Bitcoin financial services company Fold has officially begun rolling out its long-awaited Bitcoin rewards credit card, allowing…