SparkCat Malware: The Next-Gen Crypto Stealer Using OCR to Target Mobile Users
Technical Description
Background and Development:
The SparkCat campaign has been active since at least March 2024. It employs a malicious Software Development Kit (SDK) embedded within various applications distributed through both official app stores (Google Play and Apple’s App Store) and unofficial sources. This marks the first known instance of OCR-based malware infiltrating Apple’s App Store.
The infected applications span multiple categories, including artificial intelligence (AI) chat platforms, food delivery services and (Web3) related apps. Some of these apps appear legitimate, while others are designed specifically to lure victims. The Android version of the “ComeCome” food delivery app was among those compromised.
Technical Analysis and Tactics:
Upon installation, SparkCat requests access to the user’s photo gallery, often under the impression of enabling features like customer support chat. Once granted, it utilizes Google’s ML Kit library to perform OCR on images stored in the gallery, searching for text related to cryptocurrency wallet recovery phrases. The malware supports multiple languages, including English, Chinese, Japanese, Korean, and various European languages, enhancing its ability to target a broad user base.
The malware’s architecture is notable for its use of the Rust programming language to implement a custom communication protocol with its command-and-control (C2) servers, a rarity in mobile malware development. This Rust-based module encrypts and transmits the extracted data to the attackers’ servers, often disguising the traffic to evade detection.
SparkCat employs advanced obfuscation techniques, such as disguising malicious frameworks as system packages and mimicking legitimate services in its C2 domains. These strategies enhance its stealth, making detection and analysis more challenging.
Conclusion
SparkCat presents a serious cybersecurity threat to organizations by enabling financial theft, corporate espionage, compliance risks and supply chain attacks. Companies must adopt strong mobile security policies to prevent infections and protect critical business data.
Impact
SparkCat is not just a threat to individual users. It also poses serious risks to organizations, especially those involved in cryptocurrency, finance, and mobile app development.
Data Breaches & Financial Losses:
Organizations with employees who handle crypto wallets, financial transactions or sensitive client data are at risk.
If an infected employee stores wallet recovery phrases or confidential documents as images, SparkCat can exfiltrate this data which leads to massive financial and reputational damage.
Companies that manage or invest in cryptocurrencies could see their assets being stolen.
Supply Chain Attacks on Mobile Applications:
SparkCat spreads through trojanized SDKs embedded in mobile applications.
If an organization develops or maintains mobile apps and unknowingly integrates a compromised SDK, it could inadvertently distribute malware to thousands (or millions) of users.
This could lead to regulatory scrutiny, lawsuits and app store bans.
Corporate Espionage & Insider Threats:
Attackers could use SparkCat to steal corporate documents, credentials, and private communication if employees store them as images (screenshots of emails, financial statements, or client contracts).
This increases the risk of corporate espionage, where competitors or cybercriminals gain access to strategic business information.
Compliance Violations & Regulatory Fines:
Organizations in sectors like banking, fintech, and crypto exchanges must comply with strict regulations (GDPR, CCPA, PCI-DSS).
A SparkCat-related data breach could lead to hefty fines, lawsuits and loss of operating licenses.
Firms that store customer financial data could face legal consequences if they fail to prevent such breaches.
Disruption of Business Operations:
A company relying on mobile apps for customer interaction (fintech platforms, banking apps) could experience user distrust and mass uninstallations if its app is found to be distributing SparkCat.
If SparkCat spreads within an organization, IT security teams may need to quarantine and investigate multiple devices, causing downtime and loss of productivity.
IOC and Context Details
| Topics | Details |
|---|---|
| Tactic Name | Credential Access (TA0006): SparkCat steals cryptocurrency wallet recovery phrases stored in image galleries. |
| Technique Name | Input Capture (T1056): Uses Optical Character Recognition (OCR) to extract sensitive text from images. |
| Sub Technique Name | Screen Capture (T1056.002): Instead of actively capturing screens, it scans stored images for data. |
| Attack Type | Infostealer, Supply Chain Attack |
| Targeted Applications | Google Play Store (WeTink, AnyGPT, Vanity Address, ATV News Online, WebSea Exchange, SafeW Messenger), Apple App Store, Third party APK |
| Region Impacted | Global |
| Industry Impacted | Blockchains, Mobile App Development, Fintech & Banking |
| IOC’s |
Hash Sha256: 0ff6a5a204c60ae5e2c919ac39898d4f4e16c54b6c4299a5dfbc8cf91913ea3
21bf5e05e53c0904b577b9d00588e0e7
a4a6d233c677deb862d284e1453eeafb
66b819e02776cb0b0f668d8f4f9a71fd
f28f4fd4a72f7aab8430f8bc91e8acba
51cb671292eeea2cb2a9cc35f2913aa3
00ed27c35b2c53d853fafe71e63339ed
7ac98ca66ed2f131049a41f4447702cd
6a49749e64eb735be32544eab5a6452d
10c9dcabf0a7ed8b8404cd6b56012ae4
24db4778e905f12f011d13c7fb6cebde
4ee16c54b6c4299a5dfbc8cf91913ea3
a8cd933b1cb4a6cae3f486303b8ab20a
ee714946a8af117338b08550febcd0a9
0b4ae281936676451407959ec1745d93
f99252b23f42b9b054b7233930532fcd
eea5800f12dd841b73e92d15e48b2b71
MD5:35fce37ae2b84a69ceb7bbd51163ca8a
cd6b80de848893722fa11133cbacd052
6a9c0474cc5e0b8a9b1e3baed5a26893
bbcbf5f3119648466c1300c3c51a1c77
fe175909ac6f3c1cce3bc8161808d8b7
31ebf99e55617a6ca5ab8e77dfd75456
02646d3192e3826dd3a71be43d8d2a9e
1e14de6de709e4bf0e954100f8b4796b
54ac7ae8ace37904dcd61f74a7ff0d42
caf92da1d0ff6f8251991d38a840fb4a
db128221836b9c0175a249c7f567f620
|
Topics | Details |
|
|
Recommended Actions
- For Individual Users
- Uninstall Infected Apps – Remove any suspicious or unfamiliar apps, especially AI chat apps, food delivery apps, or Web3/crypto-related apps.
- Check App Permissions – Revoke unnecessary permissions, especially access to your photo gallery, storage, and clipboard.
- Do Not Store Recovery Phrases in Images – Avoid saving sensitive data (like crypto wallet seeds) as screenshots or photos in your device gallery.
- Enable Device Security Features – Use built-in security options like Google Play Protect (Android) or App Store integrity checks (iOS).
- Use Reputable Security Software – Install a trusted mobile security solution to detect and block potential threats.
- Keep Your OS & Apps Updated – Ensure all apps and the operating system are up to date to reduce vulnerabilities.
- Download Apps Only from Official Stores – Avoid third-party APK sites that may distribute trojanized apps.
- For Organizations & Enterprises
For Companies Managing Mobile Apps:
- Audit Third-Party SDKs – Carefully review and test any external SDKs before integrating them into mobile apps.
- Perform Code Signing & Integrity Checks – Ensure mobile apps are signed and verified before distribution.
- Monitor App Store Listings – Regularly check for unauthorized or tampered versions of your app.
- For Businesses Using Mobile Devices
- Implement Mobile Device Management (MDM) – Restrict employees from installing unauthorized applications.
- Educate Employees About Cyber Threats – Train staff on recognizing malware, phishing scams, and risky app behaviors.
- Regularly Scan Corporate Devices – Use mobile threat detection (MTD) solutions to scan and block malicious activity.
- Restrict Image-Based Data Storage – Implement policies that prohibit storing sensitive data in images/screenshots.
- Incident Response if Compromised
If You Suspect an Infection:
- Disconnect from the Internet – Prevent further data exfiltration to C2 servers.
- Uninstall the Suspicious App – Remove any app that may be involved.
- Run a Security Scan – Use mobile antivirus software to check for threats.
- Change Crypto Wallets & Credentials – If crypto-related data was compromised, immediately transfer funds to a new secure wallet.
- Report the Incident – Notify the app store (Google Play/App Store) and cybersecurity teams if in a corporate setting.
- Monitor for Suspicious Transactions – Keep an eye on financial accounts and crypto wallets for unauthorized activity.