Kaspersky researchers have identified a sophisticated new Trojan, SparkCat, that has infiltrated both the App Store and Google Play, posing a significant threat to cryptocurrency users.
Cybersecurity firm Kaspersky has uncovered a new data-stealing Trojan named SparkCat, which has been active in the App Store and Google Play since at least March 2024. This marks the first known instance of optical recognition-based malware making its way into Apple’s App Store. The Trojan leverages machine learning to scan image galleries, extracting cryptocurrency wallet recovery phrases and other sensitive data from screenshots.
Kaspersky has reported the malicious applications to Apple and Google. According to the company’s threat research center, SparkCat spreads through both infected legitimate apps and fraudulent lures, such as messaging apps, AI assistants, food delivery services, and cryptocurrency-related applications. Some of these compromised apps remain available on official platforms, while others are distributed through unauthorized sources. Kaspersky’s telemetry data reveals that these infected apps have been downloaded more than 242,000 times from Google Play alone.
The malware primarily targets users in the UAE, as well as in multiple countries across Europe and Asia. Analysts reached this conclusion based on the geographic distribution of the infected applications and technical examinations of the malware. SparkCat is capable of recognizing keywords in various languages, including English, Chinese, Japanese, Korean, Czech, French, Italian, Polish, and Portuguese, suggesting its potential impact on a global scale.
Once installed, the Trojan requests access to view photos stored on a device. It then employs an optical character recognition (OCR) module to analyze text within images. If relevant keywords are detected, the malware transmits the captured images to attackers. The primary objective is to locate recovery phrases for cryptocurrency wallets, allowing cybercriminals to gain full control over victims’ assets. Beyond crypto-related data, SparkCat can also extract other personal information from screenshots, including passwords and private messages.
“This is the first known case of an OCR-based Trojan successfully infiltrating the App Store,” said Sergey Puzan, a malware analyst at Kaspersky. “In both the App Store and Google Play, it remains unclear whether these applications were compromised through a supply chain attack or alternative methods. Some of the infected apps, such as food delivery services, appear entirely legitimate, while others are explicitly designed as bait.”
The discovery of SparkCat underscores the growing sophistication of cyber threats targeting mobile devices. Kaspersky urges users to remain vigilant, only download applications from trusted sources, and regularly review app permissions to safeguard personal data.
