CoinEfficiency

Malicious SDKs in Mobile Apps Target Cryptocurrency Wallets Through Photo Scanning

Kaspersky Labs warns of malicious SDKs in Google Play and Apple App Store apps that use OCR to steal cryptocurrency wallet recovery phrases from user photos.
Published on 2025-02-05

Malicious SDKs Target Cryptocurrency Wallets

Kaspersky Labs has identified a malicious software development kit (SDK) embedded in apps on Google’s Play Store and Apple’s App Store. This SDK, known as SparkCat, uses optical character recognition (OCR) to scan users' photos for cryptocurrency wallet recovery phrases, enabling cybercriminals to steal funds.

SparkCat operates by searching for specific keywords in images across multiple languages. It not only targets wallet recovery phrases but also extracts other sensitive data, such as passwords and message content, from a device's photo gallery. This makes it a significant threat to digital security.

How SparkCat Operates

The malware primarily affects Android apps through a Java component called Spark, which disguises itself as an analytics module. It uses an encrypted configuration file hosted on GitLab to receive commands. SparkCat’s flexibility and sophisticated obfuscation techniques, including the use of the Rust programming language, make it difficult to detect and analyze.

Since its activation in March, SparkCat has been downloaded approximately 242,000 times, mainly targeting users in Europe and Asia. It is distributed through both legitimate-looking and fake apps, many of which share common features like cross-platform functionality and advanced evasion methods.

Origin and Recommendations

The origin of SparkCat remains unclear, with uncertainty over whether it was introduced through a supply chain attack or intentionally by developers. However, evidence such as Chinese comments in the code suggests the developer may be fluent in Chinese.

To protect against such threats, Kaspersky analysts advise users to avoid storing sensitive information in screenshots or photo galleries and to use password managers instead. They also recommend removing suspicious or infected apps promptly.

As of now, neither Google nor Apple has provided an official response to the situation.

What is Coinefficiency?

Coinefficiency is your go-to platform for optimizing cryptocurrency trading, investments and strategies. We provide a comprehensive suite of tools to analyze market trends, monitor price movements, and execute effective trading strategies. Whether you're a seasoned trader or new to crypto, Coinefficiency helps you maximize your profits with data-driven insights.

Why Use Coinefficiency?

  • Advanced market analytics to identify trading opportunities.
  • Compare markets relative performance.
  • Understand market cycles over time. See market levels.
  • Compare buy-and-hold, portfolio rebalancing, Dollar-Cost-Averaging trading strategies.

With Coinefficiency, you can stay ahead of the market and execute efficient trading strategies effortlessly.

Get Started with Coinefficiency

Ready to optimize your crypto investments? Take control of your portfolio with cutting-edge tools designed for both beginners and experts.