Cybersecurity researchers have uncovered a dangerous new malware campaign that targets cryptocurrency wallet recovery phrases through Optical Character Recognition (OCR). The malware is called SparkCat and was discovered in a few Android and iOS apps. Some of these malicious apps are also available in Google Play and the Apple App Store.
The malware campaign was originally identified in March 2023 and evolved into the SparkCat campaign. It uses Google’s ML Kit library to scan images for recovery phrases and sends them to a Command and Control (C2) server.
One of the first suspicious apps discovered was ComeCome, a food delivery service available in the UAE and Indonesia. Later, the malware was also found in some other apps across various categories. Google and Apple have removed some of these apps, but some of them are still available.
Once you install one of the infected apps, it waits for users to grant access to their image gallery. When permission is obtained, it scans images for crypto-related phrases in multiple languages. Any identified recovery phrases are uploaded to the attackers’ servers. This allows attackers to take full control of victims’ cryptocurrency wallets.
It is advisable not to store crypto wallet recovery phrases or other sensitive information in your gallery. Consider using a password manager or hardware wallet to keep your credentials safe. You should always use a reputable mobile security application to detect and remove malware.
