New SparkCat Trojan targets AppStore & Google Play users

Kaspersky Threat Research has identified a new data-stealing Trojan named SparkCat, which is active on both AppStore and Google Play and poses a significant threat by scanning image galleries to extract sensitive data.

This malware utilises optical recognition to find and steal information such as passwords and cryptocurrency wallet recovery phrases from images, potentially causing financial losses and breaches of privacy.

SparkCat has been operational since at least March 2024, marking the first recorded case of optical recognition-based malware in AppStore. The Trojan employs machine learning to process and steal data from screenshots stored in users' image galleries.

The malicious applications have been reported to Google and Apple by Kaspersky, highlighting the severity and reach of this Trojan.

The malware proliferates through both legitimate apps that have been infected and lure apps across various categories, including messengers, AI assistants, and food delivery. Although available on official platforms, Kaspersky's telemetry indicates that infected versions are also circulating through unofficial sources. In Google Play alone, these apps have been downloaded over 242,000 times.

Analysis suggests that SparkCat primarily targets users in the UAE as well as in multiple European and Asian countries. The malware is capable of scanning for keywords in several languages, thereby expanding its potential victim base beyond these regions.

Affected applications include the food delivery app ComeCome on both iOS and Android, among others designed specifically as lures, such as a messenger app on AppStore.

SparkCat operates stealthily by requesting access to view photos, appearing to users as a genuine necessity for app functionality. It uses an optical character recognition module to identify and siphon data appearing as potential cryptocurrency wallet information or other sensitive text within images.

Sergey Puzan, Malware Analyst at Kaspersky, stated, "This is the first known case of OCR-based Trojan to sneak into AppStore. In terms of both AppStore and Google Play, at the moment it's unclear whether applications in these stores were compromised through a supply chain attack or through various other methods. Some apps, like food delivery services, appear legitimate, while others are clearly designed as lures."

Dmitry Kalinin, also a Malware Analyst at Kaspersky, further noted, "The SparkCat campaign has some unique features that make it dangerous. First of all, it spreads through official app stores and operates without obvious signs of infection. The stealthiness of this Trojan makes it hard to discover it for both store moderators and mobile users. Also, the permissions it requests seem reasonable, making them easy to overlook. Access to the gallery that the malware attempts to reach may seem essential for the app to function properly, as it appears from the user perspective. This permission is typically requested in relevant contexts, such as when users contact customer support."

Further examinations of the Android version of this malware revealed code comments in Chinese. The iOS counterpart consisted of developer home directory names "qiongwu" and "quiwengjing", inferring the involvement of fluent Chinese speakers, although no direct connection to a specific cybercriminal group has been established.

SparkCat's deployment includes the use of machine-learning-based attacks, with the Android version utilising the Google ML Kit library to decrypt and run an OCR-plugin. This method is mirrored in the iOS version of the malware.

Kaspersky advises users who have downloaded infected applications to remove them immediately and refrain from use until updates are available. Additional precautions include avoiding the storage of sensitive information in galleries and employing trusted cybersecurity software.