A newly discovered data-stealing Trojan, dubbed SparkCat, has infiltrated both the Apple App Store and Google Play Store, marking a significant milestone in cybersecurity threats. According to Kaspersky’s Threat Research expertise center, SparkCat has been active since at least March 2024. This is the first documented instance of a malware leveraging optical character recognition (OCR) to extract sensitive data from images on iOS devices.

The primary function of SparkCat is to scan image galleries and steal screenshots containing cryptocurrency wallet recovery phrases. However, its capabilities extend beyond cryptocurrency theft; the malware can identify and extract passwords, messages, and other confidential information embedded in images. Kaspersky has promptly reported all identified malicious applications to both Google and Apple to mitigate the threat.

How SparkCat Spreads: A Multi-Platform Infection

The spread of SparkCat is multi-faceted, leveraging both infected legitimate applications and malicious lures to reach unsuspecting users. These include apps across various categories such as:

• Messaging applications
• AI-powered assistants
• Food delivery services
• Cryptocurrency management tools
• Finance and investment-related apps

Shockingly, some of these applications have been made available on official platforms like Google Play Store and the Apple App Store. Kaspersky’s telemetry data further suggests that SparkCat is also distributed via third-party and unauthorized app stores, significantly increasing its reach.

In the Google Play Store alone, over 242,000 downloads of these infected applications have been recorded, highlighting the massive potential impact of the malware.

Who is Being Targeted?

Based on an in-depth analysis of infection patterns, SparkCat appears to primarily target users in the United Arab Emirates (UAE), Europe, and Asia. The operational footprint of infected applications, as well as technical examinations of the malware, supports this assessment.

However, SparkCat’s ability to scan for keywords in multiple languages—including Chinese, Japanese, Korean, English, Czech, French, Italian, Polish, and Portuguese—suggests that victims could be located in other regions as well. Given the widespread adoption of cryptocurrency, individuals across the globe may be at risk.

How SparkCat Works: The Mechanism of Data Theft

Once installed, SparkCat executes a stealthy attack mechanism that operates in multiple phases:

1. Permission Request: The malware strategically requests access to a user’s image gallery, making the request seem legitimate within the app’s functionality.
2. OCR Analysis: SparkCat analyzes text in stored images using an optical character recognition (OCR) module.
3. Data Extraction: If relevant keywords—such as wallet recovery phrases, passwords, or sensitive credentials—are detected, the malware immediately extracts and transmits the images to remote attacker-controlled servers.

The primary goal of SparkCat is to acquire cryptocurrency wallet recovery phrases, enabling cybercriminals to gain full control over victims’ digital assets and steal funds. However, its capabilities extend beyond cryptocurrency theft—the malware is equally adept at extracting passwords, private conversations, and other confidential data from screenshots.

Expert Insights on SparkCat’s Unique Threat

Sergey Puzan, a malware analyst at Kaspersky, emphasized the significance of SparkCat’s discovery:

“This is the first known case of an OCR-based Trojan infiltrating the Apple App Store. It remains uncertain whether applications in these stores were compromised via a supply chain attack or other undisclosed techniques. While some apps—like food delivery services—appear authentic, others are clearly designed as bait.”

Dmitry Kalinin, another malware expert at Kaspersky, shed light on the malware’s deceptive nature:

“SparkCat is particularly dangerous because it spreads via official app stores and operates with no clear signs of infection. Its ability to request seemingly legitimate permissions—such as access to photos—makes it difficult for both users and app store moderators to detect. Since image gallery access is often necessary for app functionality, users are unlikely to suspect malicious intent.”

 

Evidence of a Chinese Connection

Upon further examination of SparkCat’s Android variants, Kaspersky researchers found embedded comments in Chinese within the malware’s source code. Additionally, in the iOS version, developer home directory names such as “qiongwu” and “quiwengjing” were identified. This suggests that the attackers are fluent in Chinese; however, there is insufficient evidence to attribute the malware to a specific cybercriminal organization.

Machine Learning in Cybercrime: A Growing Trend

SparkCat represents a new wave of cybercrime where machine learning (ML) and neural networks are used to enhance attack capabilities.

• In its Android version, SparkCat uses the Google ML Kit library to decrypt and execute OCR plugins, making it highly efficient in text recognition.
• A similar method was employed in the iOS variant, indicating a cohesive, well-developed attack strategy across multiple platforms.

How to Stay Protected from SparkCat

Given the stealthy nature of this malware, users must exercise extreme caution when installing applications, even from trusted sources. Here are some key recommendations to enhance security:

1. Limit App Permissions: Avoid granting unnecessary permissions, particularly gallery access, unless absolutely necessary.
2. Verify App Authenticity: Always download applications from official developer websites or reputable sources with extensive user reviews.
3. Use Robust Security Software: Install reliable antivirus solutions that can detect and neutralize malware.
4. Regularly Update Software: Ensure both your operating system and applications are updated to the latest versions.
5. Be Cautious with Screenshots: Avoid storing sensitive information—such as passwords, private keys, or recovery phrases—in your image gallery.
6. Monitor Cryptocurrency Wallets: If you use a crypto wallet, enable two-factor authentication (2FA) and monitor suspicious transactions closely.

Conclusion: A New Era of Cyber Threats

The emergence of SparkCat underscores a dangerous shift in cybercrime tactics. With neural networks and OCR-powered malware making their way into mainstream app stores, both individuals and businesses must remain vigilant against evolving threats.

Cybercriminals are now leveraging AI-driven techniques to execute highly sophisticated attacks. As SparkCat continues to spread, it is imperative for users to exercise digital hygiene, scrutinize app permissions, and implement advanced security measures to stay ahead of these threats.

With Kaspersky actively working with Apple and Google to remove SparkCat from their platforms, cybersecurity experts remain committed to protecting users from this groundbreaking malware. However, it is ultimately up to individuals to take proactive steps in securing their personal and financial information from emerging cyber threats.