A sophisticated cryptocurrency theft campaign dubbed “SparkCat” has been uncovered, affecting both Android and iOS applications available on official app stores. Security researchers at Kaspersky have identified a malicious software development kit (SDK) embedded within multiple apps, collectively downloaded over 242,000 times from Google Play alone.

Key Findings:
– First documented case of such a stealer in the Apple App Store
– Affects 18 Android and 10 iOS applications
– Uses optical character recognition (OCR) to steal crypto wallet recovery phrases

Technical Implementation:
The malware operates through different components:
– Android: Uses “Spark” Java component disguised as analytics
– iOS: Appears under names like “Gzip,” “googleappsdk,” or “stat”
– Employs Google ML Kit OCR for text extraction
– Utilizes Rust-based networking module for C2 communication
– Configuration files stored on GitLab

Theft Mechanism:
– Scans device images for wallet recovery phrases
– Supports multiple languages (Latin, Korean, Chinese, Japanese)
– Uses region-specific keywords for targeting
– Transmits device information to command servers

Security Recommendations:
– Immediately uninstall affected applications
– Scan devices with mobile antivirus software
– Consider factory reset if infected
– Avoid storing wallet recovery phrases in screenshots
– Use offline storage methods for cryptocurrency credentials

The investigation remains ongoing, with both Apple and Google being notified about the compromised applications in their respective stores.