Crypto Malware Found in Mobile App Development Kits
Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.
Kaspersky Labs has identified crypto malware embedded in software development kits (SDKs) to create Android and iOS apps. The malicious code, named SparkCat, infiltrates devices and scans stored images to steal sensitive recovery phrases for cryptocurrency wallets.
Malicious Software in Mobile App Development Kits
This alarming discovery raises concerns about mobile app security.
Researchers Sergey Puzan and Dmitry Kalinin explained in a February 4 report that the malware employs optical character recognition (OCR) technology to search image galleries for keywords in multiple languages.
“The intruders steal recovery phrases for crypto wallets, which are enough to gain full control over the victim’s wallet for further theft of funds,” they wrote.
⚠️ WARNING: New Crypto-Stealing Malware in Mobile Apps (Android and IOS) ⚠️
Cybersecurity firm Kaspersky has uncovered a dangerous malware, SparkCat, hidden in app development kits for Android and iOS.
This malware scans images on your phone for crypto wallet recovery phrases,… pic.twitter.com/5T7u6xmxqW— CryptoFi © (@cryptoFi_Ent) February 5, 2025
The malware is not limited to targeting recovery phrases. Kaspersky’s analysts noted that it could also access other personal data from screenshots, such as messages or passwords.
SparkCat has primarily affected Android and iOS users across Europe and Asia since it first appeared in March.
According to Kaspersky, the malware has been downloaded around 242,000 times. It is embedded in dozens of apps available on both Google Play Store and Apple App Store.
Some apps appear legitimate, such as food delivery services, while others are clearly fake, designed to lure unsuspecting victims.
The researchers noted that “some apps, such as food delivery services, appear legitimate, while others are clearly built to lure victims.”
Despite its widespread distribution, the origin of the crypto malware remains unclear. The developers may have either intentionally embedded the malware or fallen victim to a supply chain attack.
Protecting Against Crypto Malware
Further investigation revealed that the malware’s code includes comments and error messages in Chinese, suggesting that its creator may be fluent in the language.
SparkCat also uses Google ML Kit’s OCR functionality to search for recovery phrases in image files, making it a potent threat to mobile app security.
To protect against SparkCat and similar threats, Kaspersky recommends not storing sensitive information such as recovery phrases in a device’s image gallery. Instead, users should rely on secure password management solutions.
Removing any suspicious or infected apps is also essential.
Additionally, the malware uses the Rust programming language, which is uncommon in mobile applications, allowing it to evade detection. Its obfuscation techniques further complicate analysis by cybersecurity experts.
The threat of crypto malware continues to grow, with cybersecurity firm Doctor Web uncovering a crypto-jacking attack that infected over 28,000 devices across Russia and neighboring countries. The malware disguised itself as legitimate software, such as office tools and game cheats, stealing around $6,000 in cryptocurrency.
This highlights the increasing need for users to exercise caution when downloading apps or software from unverified sources.
