SparkCat is a sophisticated mobile malware targeting both Android and iOS devices, designed primarily to steal cryptocurrency wallet recovery phrases and other sensitive information by scanning users’ photo galleries using optical character recognition (OCR) technology.
How SparkCat Works
• Platforms: Infects both Android and iOS devices.
• Infection Method: Spreads via malicious software development kits (SDKs) embedded in seemingly legitimate apps, including those available on official app stores such as Google Play and Apple’s App Store.
• Distribution: Apps compromised include food delivery services, AI chat platforms, and Web3-related apps. Notable examples include the Android version of the “ComeCome” food delivery app and others like WeTink, AnyGPT, and Vanity Address.
Operation
• Android: Uses a Java-based SDK disguised as an analytics module. Upon launch, it retrieves an encrypted configuration file from a remote GitLab repository. It then uses Google ML Kit’s OCR to scan the device’s image gallery for text matching wallet recovery phrases or other sensitive data. The malware supports multiple languages, including English, Chinese, Korean, Japanese, and several European languages.
• iOS: Operates via a malicious framework (e.g., GZIP, googleappsdk) written in Objective-C and obfuscated with HikariLLVM. It also leverages Google ML Kit for OCR and only requests gallery access during specific user actions to avoid suspicion.
• Data Exfiltration: Extracted sensitive images and data are uploaded to attacker-controlled servers, often using encrypted channels or non-standard protocols (such as Rust-based modules) to evade detection.
Impact and Risks
• Targets: Individual users and organizations, especially those involved in cryptocurrency, finance, and mobile app development.
• Risks: Financial losses, corporate espionage, regulatory fines, supply chain attacks, and reputational damage if sensitive data is exfiltrated.
• Scale: At the time of discovery, SparkCat-infected apps had been downloaded over 200,000 times from Google Play alone, with additional infections via third-party sources.
Technical Highlights
• OCR Technology: Uses Google ML Kit for cross-platform, multi-language text recognition in images.
• Obfuscation: Employs advanced techniques to disguise malicious code and mimic legitimate services.
• Custom Protocols: Uses Rust programming for encrypted data transmission, a rarity in mobile malware.