Kaspersky researchers have detailed a cross‐platform malware campaign that targets cryptocurrency wallet recovery phrases through malicious mobile apps.
In a report published recently, it was revealed that the “SparkCat” The campaign scans users’ photo galleries to find sensitive data. The first time this technique was observed was in March 2023.
At the time, cybersecurity researchers observed malware features within messaging apps scanning user galleries for crypto wallet recovery phrases—commonly known as mnemonics—to send to remote servers.
According to the researchers, this initial campaign was only aimed at Android and Windows users who downloaded unofficial apps.
SparkCat is not included in this list, as it was found at the end 2024. This campaign uses an SDK Framework integrated into several apps on both official and unofficial Android and iOS app markets.
A food-delivery app named “ComeCome” On Google Play, the SDK that was malicious has been found. More than 242,000 apps were infected. Later, similar malware found in Apple App Store apps.
Stephen Ajayi is the technical lead for dApp audit at Hacken Cryptosecurity firm. Decrypt App stores’ preventative measures usually consist of automated checking and very rarely manual review.
Slava Demochuk, CEO at blockchain analytics firm AMLBot, highlighted further that this problem was compounded due to code obfuscation, malicious updates, and malware that is added after the app has been approved.
“In SparkCat’s case, attackers obfuscated the entry point to hide their actions from security researchers and law enforcement,” He said Decrypt. “This tactic helps them evade detection while keeping their methods secret from competitors."
The malware uses Google’s ML Kit library to perform optical character recognition (OCR) on images stored on users’ devices. When users access a support chat feature within the app, the SDK requests prompts them with a permission request to read the image gallery.
If permission is granted, the application scans the images for keywords that suggest mnemonic presence in multiple languages. Matching images are then encrypted and transmitted to a remote server.
Demchuk noted that “this attack vector is pretty unusual—I’ve mostly seen similar tactics in ATM fraud, where attackers steal PIN codes.”
He added that pulling off such an attack requires a good level of technical prowess, and if the process became simpler to replicate then it could cause a lot more damage.
“This method may spread quickly if fraudsters with experience start to sell ready-made scripts,” said he.
Ajayi was in agreement, noting “OCR is a very clever trick.” but he believes that there is still space for improvement. “Imagine combining OCR with AI to pick up sensitive information automatically from images and screens.”
Demchuk gave users advice by advising them to consider their actions before they grant permissions. Ajayi suggests wallet developers should “find better ways to handle and display sensitive data such as seed phrases.”
Stacy Elliott is the editor.