Malicious Android & iOS Apps Downloaded Over 242,000 Times, Stealing Crypto Recovery Keys

A sophisticated malware campaign, dubbed SparkCat, has infiltrated Google Play and Apple’s App Store, marking the first known instance of an optical character recognition (OCR)-based cryptocurrency stealer on iOS.

According to cybersecurity firm Kaspersky, the malware has been downloaded over 242,000 times since its emergence in March 2024.

It targets sensitive cryptocurrency wallet recovery phrases stored in images, posing a significant threat to users across Europe, Asia, and beyond.

How SparkCat Operates

SparkCat is embedded within malicious software development kits (SDKs) integrated into seemingly legitimate apps.

On Android, it operates via a Java-based SDK named “Spark,” disguised as an analytics module.

For iOS, the malware uses a malicious framework under aliases like “GZIP” or “googleappsdk,” written in Objective-C and obfuscated with HikariLLVM for stealth.

The malware employs Google ML Kit’s OCR technology to scan image galleries for ...