Malicious apps on Android and iOS scan screenshots to steal cryptocurrencies

Editor’s take: Taking screenshots on modern mobile devices is incredibly easy. However, inexperienced users often overlook the potential security risks of saving images containing sensitive data. This oversight can lead to financial losses, as cybercriminals are always ready to exploit such lapses in operational security.

Kaspersky has uncovered a new malware campaign designed to breach users’ crypto wallets and steal Bitcoin and other cryptocurrencies. Dubbed SparkCat, the malware leverages advanced optical character recognition technology integrated into modern smartphone platforms to scan for recovery phrases used to access crypto wallets. Notably, it affects both Android and iOS ecosystems.

SparkCat was found embedded in several Android and iOS apps, some of which were available in official app stores. The malware employs a malicious SDK that integrates Google’s OCR technology, enabling it to scan users’ photo galleries for screenshots and extract crypto wallet recovery codes from images.

The infected apps discovered on Google Play had been downloaded over 242,000 times. Meanwhile, some malicious apps targeting iOS remain available for download, including two AI chat tools (WeTink and AnyGPT) and a Chinese food delivery app (ComeCome).

Kaspersky believes the SparkCat campaign has likely been active since March 2024. The malicious apps featured a previously unseen protocol written in Rust, which proved useful for communicating with command-and-control servers operated by the cybercriminals behind the attack.

The origin of SparkCat remains unclear. Kaspersky has not determined whether the infection was part of a sophisticated supply chain attack or the result of deliberate actions by the app developers. The malware employs tactics previously observed by researchers in 2023, when ESET analysts discovered malicious “implants” in Android and Windows apps designed to scan images for crypto wallet access codes.

SparkCat underscores the risks of poor security practices on personal mobile devices. Saving screenshots in a phone’s gallery is already a potential vulnerability, but for users who have invested in cryptocurrency, it can turn into a serious security threat.