Snek (snek) 
Cryptocurrency Wallet Malware Sparks Concerns with 200,000+ Downloads
A new malware threat, known as SparkCat, has been discovered, targeting both Android and iOS users and stealing cryptocurrency wallet private keys. This malware has been downloaded over 200,000 times, with some infected apps available on Google Play and the App Store.
How SparkCat Works
The malware spreads through malicious software development kits embedded in seemingly harmless apps. On Android, it is injected via a Java-based SDK called Spark, which disguises itself as an analytics module. Once active, SparkCat uses Google ML Kit’s OCR tool to scan the device’s image gallery, searching for specific keywords related to crypto wallet recovery phrases across multiple languages.
On iOS, SparkCat operates through a malicious framework embedded in the infected apps, disguised under names like GZIP, googleappsdk, or stat. This framework integrates with Google ML Kit to extract text from images in the gallery. To avoid raising suspicion, the iOS version only requests gallery access when users perform specific actions, such as opening a support chat.
Stealing Sensitive Data
Once the malware has scanned the image gallery, it uploads the image to an attacker-controlled server, either via Amazon cloud storage or a Rust-based protocol. This adds an extra layer of complexity in tracking its activity due to encrypted data transfers and non-standard communication methods.
The report also warned that the “flexibility of the malware” allows it to steal other sensitive data like “content of messages or passwords that could remain on screenshots.”
Users at Risk
Kaspersky estimates that the malware has infected over 242,000 devices across Europe and Asia. While the exact origin remains unknown, embedded comments in the code and error messages suggest that the malware’s developers are fluent in Chinese.
Tips to Stay Safe
Researchers at Kaspersky urge users to avoid storing important information like seed phrases, private keys, and passwords within screenshots. Here are some additional tips to stay safe:
- Avoid downloading apps from untrusted sources.
- Be cautious when granting app permissions.
- Use strong passwords and enable two-factor authentication.
- Regularly update your device and apps.
“Sophisticated malware campaigns remain a consistent threat within the crypto space.”
This is not the first time bad actors have managed to bypass Google and Apple’s store security measures. In September 2024, crypto exchange Binance flagged the “Clipper malware,” which infected devices via unofficial mobile apps and plugins and replaced the victim’s copied wallet address with one controlled by the attacker.
Private key theft has dealt serious damage to the crypto industry, being one of the main reasons behind some of its biggest losses yet.
Stay up-to-date with the latest cryptocurrency news and security alerts on Global Crypto News.
