Malware using machine learning technology, downloaded more than 240,000 times by Android users

Kaspersky's Threat Research Center has discovered a new data-stealing Trojan, dubbed SparkCat, that has been active on the App Store and Google Play since at least March 2024. This is the first documented case of optical-based malware appearing on the App Store.

SparkCat uses machine learning to scan photo libraries and steal screenshots containing phrases related to cryptocurrency wallet keys. SparkCat can also find and extract other sensitive data in images, such as passwords. For example, the iOS food delivery app ComeCome was infected with malware, with an interface and functionality that is indistinguishable from the original Android version.

Malware using machine learning technology, downloaded more than 240,000 times by Android users Picture 1

(Illustration)

The malware hides not only in legitimate apps that are already infected, but also in lure apps - such as messaging apps, AI assistants, food delivery apps, cryptocurrency-related apps, etc. Some of the apps can be downloaded from official platforms on Google Play and the App Store. On Google Play alone, these apps have been downloaded more than 242,000 times.

SparkCat mainly targets users in the UAE and countries in Europe and Asia. This is the conclusion of experts based on information about the operating regions of infected applications and technical analysis of the malware. Accordingly, SparkCat scans photo libraries for keywords in many languages, including Chinese, Japanese, Korean, English, Czech, French, Italian, Polish and Portuguese, .

According to the scenario, after being installed on the device, the malware will request access to the user's photo library to view all the images. The malware will then use an optical character recognition (OCR) module to analyze the text and characters in the image. If the stealer detects relevant keywords, SparkCat will send the image to the attacker.

"The main goal of the hacker is to find the crypto wallet's recovery phrase. With this information, the bad guys can take full control of the victim's wallet and steal money. In addition to stealing recovery phrases, the malware is also capable of extracting other personal information from screenshots, such as messages and passwords," Kaspersky warned.

"This is the first time we have seen a trojan using optical character recognition (OCR) technology infiltrating the App Store system," said Sergey Puzan, a malware analyst at Kaspersky. "At the moment, it is unclear how the infected apps passed the App Store and Google Play checks to reach end users, or whether there are other ways to prove that these apps are trustworthy." 

According to Kaspersky, SparkCat has several notable features that make its spread even more dangerous. First of all, the SparkCat malware hides in official apps from app stores and operates without leaving any obvious signs of suspicion. The trojan's stealth makes it difficult for both app reviewers and mobile users to detect.

In addition, the permissions that the trojan requests are quite reasonable, making it easy for users to ignore, such as access to the photo library. Because everyone thinks that the application needs to be granted this permission to operate more conveniently, for example when contacting customer support.

When analyzing the Android versions of the malware, Kaspersky experts found that the malware comments were written in Chinese. Additionally, the iOS version contained the developer's original folder names "qiongwu" and "quiwengjing," suggesting that the bad guys behind the campaign were fluent in Chinese. However, there is currently not enough evidence to attribute the campaign to a cybercriminal group.

Kaspersky has reported the above malicious applications to Google and Apple.

To avoid falling victim to this malware, Kaspersky recommends:

- If you have installed one of the infected apps, remove it from your device immediately and do not use it again until a new update is available to fix the problem.

- Avoid storing screenshots containing sensitive information in your photo library, including cryptocurrency wallet keys. Passwords should be stored in dedicated security applications.

- Use reliable security software like Kaspersky Premium to prevent the risk of malware infection.

Jessica Tanner

Update 10 February 2025