# Crypto-Stealing Malware Spreads on AppStore and Google Play

Cybersecurity experts have recently discovered a data-stealing trojan named SparkCat, which has been active on the AppStore and Google Play since at least March 2024. This is the first malware using optical recognition to appear on the AppStore. SparkCat utilizes machine learning to scan image libraries and steal screenshots containing cryptocurrency wallet recovery phrases. It can also find and extract other sensitive data in images, such as passwords.

# **Method of Spread**

This malware is spreading through both infected legitimate apps and decoys, such as messaging apps, AI assistants, food delivery apps, and cryptocurrency-related applications. Some of these apps are currently available on official platforms like Google Play and AppStore. Data from Kaspersky also shows that software versions infected with malware are being distributed through unofficial sources. On Google Play, these apps have been downloaded over 242,000 times.

![The ComeCome page in the App Store](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/04153419/SparkCat_22.png align="left")

*Figure 1. The ComeCome food delivery app for iOS infected with malware*

![Negative user feedback about ComeCome](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/04153453/SparkCat_19-1024x508.png align="left")

*Figure 2. Negative user feedback about ComeCome*

# **Attackers' Targets**

The malware primarily targets users in the UAE and countries in Europe and Asia. SparkCat scans image libraries for keywords in multiple languages, including Chinese, Japanese, Korean, English, Czech, French, Italian, Polish, and Portuguese. However, experts believe victims may also come from other countries.

![Messaging apps in the App Store designed to lure victims](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/04153600/SparkCat_16-576x1024.png align="left")

*Figure 3. A fake messaging app on the AppStore related to SparkCat malware*

# **How SparkCat Malware Works**

After installation, the malware requests access to view photos in the user's phone library. It then analyzes text in the images using an optical character recognition (OCR) module. If the malware detects relevant keywords, it sends the images to the attacker. The main goal of the hackers is to find recovery phrases for cryptocurrency wallets. With this information, they can fully control the victim's wallet and steal funds. Besides stealing recovery phrases, the malware can extract other personal information from screenshots, such as messages and passwords.

![Searching for keywords among OCR image processing results](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2025/02/04151752/SparkCat_12.png align="left")

*Figure 4. Searching for keywords after extracting text from images*

Despite being rigorously screened by official app stores, infected apps still find their way into Google Play and the App Store. What makes this Trojan particularly dangerous is that there are no signs indicating hidden malware within the app. The permissions requested by the app seem necessary for its core functionality and appear harmless at first glance. This case has challenged the notion that iOS is unaffected by threats posed by malicious apps.

# **List of IOCs Related to SparkCat**

## **Hashes of Infected Android Apps**

| 0ff6a5a204c60ae5e2c919ac39898d4f | MD5 |
| --- | --- |
| 21bf5e05e53c0904b577b9d00588e0e7 | MD5 |
| a4a6d233c677deb862d284e1453eeafb | MD5 |
| 66b819e02776cb0b0f668d8f4f9a71fd | MD5 |
| f28f4fd4a72f7aab8430f8bc91e8acba | MD5 |
| 51cb671292eeea2cb2a9cc35f2913aa3 | MD5 |
| 00ed27c35b2c53d853fafe71e63339ed | MD5 |
| 7ac98ca66ed2f131049a41f4447702cd | MD5 |
| 6a49749e64eb735be32544eab5a6452d | MD5 |
| 10c9dcabf0a7ed8b8404cd6b56012ae4 | MD5 |
| 24db4778e905f12f011d13c7fb6cebde | MD5 |
| 4ee16c54b6c4299a5dfbc8cf91913ea3 | MD5 |
| a8cd933b1cb4a6cae3f486303b8ab20a | MD5 |
| ee714946a8af117338b08550febcd0a9 | MD5 |
| 0b4ae281936676451407959ec1745d93 | MD5 |
| f99252b23f42b9b054b7233930532fcd | MD5 |
| 21bf5e05e53c0904b577b9d00588e0e7 | MD5 |
| eea5800f12dd841b73e92d15e48b2b71 | MD5 |

## **iOS Framework**

| 35fce37ae2b84a69ceb7bbd51163ca8a | MD5 |
| --- | --- |
| cd6b80de848893722fa11133cbacd052 | MD5 |
| 6a9c0474cc5e0b8a9b1e3baed5a26893 | MD5 |
| bbcbf5f3119648466c1300c3c51a1c77 | MD5 |
| fe175909ac6f3c1cce3bc8161808d8b7 | MD5 |
| 31ebf99e55617a6ca5ab8e77dfd75456 | MD5 |
| 02646d3192e3826dd3a71be43d8d2a9e | MD5 |
| 1e14de6de709e4bf0e954100f8b4796b | MD5 |
| 54ac7ae8ace37904dcd61f74a7ff0d42 | MD5 |
| caf92da1d0ff6f8251991d38a840fb4a | MD5 |
| db128221836b9c0175a249c7f567f620 | MD5 |

## **Trojan Configuration in GitLab**

| hxxps://gitlab\[.\]com/group6815923/ai/-/raw/main/rel.json |
| --- |
| hxxps://gitlab\[.\]com/group6815923/kz/-/raw/main/rel.json |

## **C2 Server**

| api.firebaseo\[.\]com |
| --- |
| api.aliyung\[.\]com |
| api.aliyung\[.\]org |
| uploads.99ai\[.\]world |
| socket.99ai\[.\]world |
| api.googleapps\[.\]top |

## **Photo Storage**

<table><tbody><tr><td colspan="1" rowspan="1"><p>hxxps://dmbucket102.s3.ap-northeast-1.amazonaws[.]com</p></td></tr></tbody></table>

# **Recommendations**

**FPT Threat Intelligence** recommends several measures for organizations and individuals to prevent this malware:

* **If you have installed an infected app, remove it immediately and avoid reinstalling until a patch is available.**
    
* **Avoid storing screenshots containing sensitive information**, such as cryptocurrency wallet recovery phrases, in your photo library. Store passwords, secure documents, and important data in **dedicated security applications**.
    
* **Use robust security solutions on all your devices** to protect against malware threats.
    
* **User training and awareness:** Organize cybersecurity training sessions to help identify phishing, scams, and social engineering attacks.
    
* **Check app permissions on your phone:** Only install apps from official sources like Google Play or App Store and review permissions before granting them.
    
* **Regularly update your operating system and applications:** Always use the latest versions to reduce the risk of exploitation by security vulnerabilities.
    

# **References**

* [**Kaspersky discovers new crypto-stealing Trojan in AppStore and Google Play**](https://www.kaspersky.com/about/press-releases/kaspersky-discovers-new-crypto-stealing-trojan-in-appstore-and-google-play)
    
* [**Take my money: OCR crypto stealers in Google Play and App Store**](https://securelist.com/sparkcat-stealer-in-app-store-and-google-play/115385/)
