Kaspersky Lab has raised the alarm about a malicious software module called SparkCat. In a statement to RIA Novosti on February 4, experts from the cybersecurity firm warned that this newly uncovered threat exploits neural networks and optical character recognition (OCR) to steal data, seed phrases and other access credentials to cryptocurrency wallets stored in screenshots.
Android and iOS
According to Kaspersky Lab, SparkCat slinks onto iOS and Android smartphones under the guise of seemingly legitimate apps. The module has reportedly been embedded in multiple applications distributed through Google Play (with over 242,000 downloads) and, perhaps more surprisingly, in the Apple App Store as well.
— Kaspersky Lab statement
“Experts do not exclude that people in other regions may face similar cyber threats. Programs in which this malicious module was embedded, were downloaded from Google Play more than 242,000 times,”
So far, the main targets have been users in Europe and Asia, though Kaspersky suggests the threat is poised to expand worldwide. This cross-platform infiltration is particularly startling because Apple’s walled garden, while not impenetrable, has generally offered stricter security measures than its Android counterpart.
“Various scam and fraudulent applications have regularly infiltrated the App Store, but this is the first known case of integration of malware stealing user data in applications in the official store,”
— Sergey Puzan, Kaspersky
How SparkCat Steals Your Crypto
Once lodged inside an application, SparkCat requests permission to access a user’s photos. That may seem benign, many apps do the same. But in this case, the code is no mere photo editor. SparkCat uses OCR (optical character recognition), scouring your screenshots for words, phrases, or private keys that might grant access to your cryptocurrency wallets.
Beyond wallet credentials, the malware can also collect other sensitive data lurking in your images, be it passwords, PINs, or the content of private messages that appear in screenshots. If a user has previously stored a backup passphrase, a recovery phrase, or an exchange login in their phone’s camera roll, SparkCat’s code can capture it.
Kaspersky’s researchers say SparkCat is written in Rust (an unusual choice for mobile malware) which communicates with its command-and-control (C2) infrastructure through an “unidentified protocol.” The firm believes this code has been quietly active since March 2024, but only came to their attention late in the year.
Applications Affected
While Kaspersky has identified multiple Android and iOS apps tainted with SparkCat, they singled out one suspicious example: a food delivery application for users in the UAE and Indonesia, called “ComeCome.” Both the Android and iOS versions of ComeCome reportedly contained the same malicious framework with the Trojan built in.
This is not an isolated incident. The same principle (embedding malicious code through compromised SDKs or frameworks) was flagged by security researchers at ESET back in 2023, when Telegram and WhatsApp knockoffs used “clippers” to pilfer clipboard data. Now, with more advanced OCR-based functionality, SparkCat has effectively upgraded that older tactic.
An International Threat
Despite being initially spotted in apps targeting European and Asian markets, the threat’s potential scope is global:
– SparkCat can load different OCR models depending on your system language (whether Latin, Korean, Chinese, or Japanese characters).
– Once the attackers push an update to the malicious module, new features can be stealthily introduced to existing infected apps.
– The fact that it bypassed Apple’s famously tight security protocols indicates a higher level of sophistication by the attackers.
Protect Yourself and Your Wallet
Kaspersky recommends taking a few critical steps:
1. Update your OS and apps regularly
Malicious code can hide in legitimate updates. Ensuring you have the latest patches can shut the door on vulnerabilities.
2. Clean your camera roll
Don’t store screenshots of private information (especially seed phrases or passwords) in your photo gallery.
3. Limit permissions
If possible, restrict apps from accessing your entire photo library, or only grant temporary permission to selected images.
4. Monitor official sources
Keep an eye on official statements from Google, Apple, and reputable cybersecurity firms to stay ahead of emerging threats.
While Google and Apple have not yet commented publicly on SparkCat’s infiltration, they typically move swiftly to remove or patch flagged apps once credible evidence of malware is presented. Kaspersky has provided package names for the infected apps in its official report (users would do well to check their devices for any suspicious matches).
The Bottom Line
For a world that increasingly treats smartphones as personal vaults (stuffed with payment details, private correspondences, and even entire crypto portfolios) the emergence of SparkCat is a sobering reminder that convenience can be a Trojan horse. The malicious code’s success proves there’s no such thing as total security, even in the sanctified halls of the Apple App Store.
And as the lines between fintech, social media, and personal life blur ever more, the real question becomes: what’s next? Could tomorrow’s Trojan rummage through your augmented reality glasses or your MetaVerse hangouts for wallet data, chat logs, or more? The cat, it seems, is truly out of the bag, and it’s hungry for your crypto.