Kaspersky researchers have detailed a cross‐platform malware campaign that targets cryptocurrency wallet recovery phrases through malicious mobile apps.
According to a recent report, the “SparkCat” campaign uses a malicious software development kit (SDK) embedded in modified messaging apps and other applications to scan users’ image galleries for sensitive recovery data. This technique was first observed in March 2023.
At the time, cybersecurity researchers observed malware features within messaging apps scanning user galleries for crypto wallet recovery phrases—commonly known as mnemonics—to send to remote servers.
The initial campaign only affected Android and Windows users through unofficial app sources, the researchers said.
This is not true for SparkCat, which was discovered in late 2024. This new campaign employs an SDK framework integrated into various apps available on official and unofficial app marketplaces for Android and iOS devices.
In one instance, a food delivery app called “ComeCome” on Google Play was found to include the malicious SDK. The infected apps have been collectively installed more than 242,000 times, and similar malware was later identified in apps available on Apple’s App Store.
Stephen Ajayi, dApp audit technical lead at crypto cybersecurity firm Hacken, told Decrypt that preventative measures employed by app stores usually amount to automated checks and rarely include manual reviews.
Slava Demchuk, CEO of blockchain analytics firm AMLBot, further highlighted that the problem is compounded by code obfuscation and malicious updates that introduce malware after an app has already been approved.
“In SparkCat’s case, attackers obfuscated the entry point to hide their actions from security researchers and law enforcement,” he told Decrypt. “This tactic helps them evade detection while keeping their methods secret from competitors.”
The malware uses Google’s ML Kit library to perform optical character recognition (OCR) on images stored on users’ devices. When users access a support chat feature within the app, the SDK requests prompts them with a permission request to read the image gallery.
If permission is granted, the application scans the images for keywords that suggest mnemonic presence in multiple languages. Matching images are then encrypted and transmitted to a remote server.
Demchuk noted that “this attack vector is pretty unusual—I’ve mostly seen similar tactics in ATM fraud, where attackers steal PIN codes.”
He added that pulling off such an attack requires a good level of technical prowess, and if the process became simpler to replicate then it could cause a lot more damage.
“If experienced fraudsters start selling ready-made scripts, this method could spread fast,” he said.
Ajayi agreed, noting that “OCR to scan is such a clever trick,” but he believes that there is still space for improvement. “Imagine the combination of OCR and AI to automatically pick out sensitive information from images or screens.”
As advice to users, Demchuk recommended thinking twice before granting permissions to applications. Ajayi also suggests that wallet developers “should find better ways of handling and displaying sensitive data like seed phrases.”
Edited by Stacy Elliott.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.
