Kaspersky has discovered a new data-stealing Trojan, SparkCat, active in the Apple App Store and Google Play. This is said to be the “first known instance” of optical recognition-based malware appearing in AppStore. Kaspersky said they found comments in the code written in Chinese, possibly pointing to the country of origin.
SparkCat uses machine learning to “scan image galleries and steal screenshots containing cryptocurrency wallet recovery phrases.” The malware is said to also find and extract other “sensitive data” in images, such as passwords.
Kaspersky stated that it has reported known malicious apps to Google and Apple which may be hosting the nefarious code on their app markets.
The malware is said to be spreading through both “infected legitimate apps and lures – messengers, AI assistants, food delivery, crypto-related apps, and more.”
Kaspersky telemetry data indicates that infected “versions are being distributed through other unofficial sources. In Google Play, these apps have been downloaded over 242,000 times.”
The malware is said to primarily target users in the UAE and European and Asian countries.
Once installed, in certain scenarios, the malware apparently “requests access to view photos in a user’s smartphone gallery.” SparkCat then scans image galleries “for keywords in multiple languages, including Chinese, Japanese, Korean, English, Czech, French, Italian, Polish, and Portuguese. It then analyzes the text in stored images “using an optical character recognition (OCR) module.”
If the stealer detects relevant keywords, it “sends the image to the attackers.” The hackers’ primary goal is to “find recovery phrases for cryptocurrency wallets.”
Beyond stealing recovery phrases, the malware is “capable of extracting other personal information from screenshots, such as messages and passwords.”
Sergey Puzan, malware analyst at Kaspersky said:
“This is the first known case of OCR-based Trojan to sneak into AppStore. In terms of both AppStore and Google Play, at the moment it’s unclear whether applications in these stores were compromised through a supply chain attack or through various other methods. Some apps, like food delivery services, appear legitimate, while others are clearly designed as lures.”
Dmitry Kalinin, malware analyst at Kaspersky said:
“The SparkCat campaign has some unique features that make it dangerous. First of all, it spreads through official app stores and operates without obvious signs of infection. The stealthiness of this Trojan makes it hard to discover it for both store moderators and mobile users. Also, the permissions it requests seem reasonable, making them easy to overlook. Access to the gallery that the malware attempts to reach may seem essential for the app to function properly, as it appears from the user perspective. This permission is typically requested in relevant contexts, such as when users contact customer support.”
Apple and Google have reportedly removed the malicious apps from their platforms.