Security researchers at Kaspersky have identified multiple applications on both the App Store and Google Play that contain a form of malware specifically designed to steal cryptocurrency information. These apps were found to incorporate a malicious software development kit (SDK) that employs optical character recognition (OCR) to capture “crypto wallet recovery phrases” from screenshots saved on users’ smartphones. Notably, this marks the first detection of cryptocurrency-stealing malware in apps hosted on Apple’s App Store.
Malicious SDK Targets Crypto Wallet Information via Screenshots
A comprehensive technical report released on Thursday disclosed that no fewer than 18 Android applications have been compromised by the SparkCat SDK, with 10 iOS applications found infected on the App Store. Researchers noted that the total number of downloads for the affected Android apps exceeded 242,000.
Infected applications from the Play Store (left) and App Store
Photo Credit: Kaspersky
Some of the compromised applications appeared to be legitimate, while others, particularly those featuring AI-enhanced messaging functions, were created to lure users into downloading the potentially harmful software. Kaspersky also reported that several of the detected Android apps remained available for download via the Play Store at the time the report was published.
Researchers have not yet established whether these apps were intentionally infected by their developers or if they were affected by a supply chain attack. At this point, neither Apple nor Google has made a public statement regarding the discovery of these malicious apps in their app stores.
Once downloaded, these harmful applications utilize OCR technology to identify and extract text from saved images. Upon detecting a cryptocurrency wallet recovery phrase, the app uploads the image to an Amazon cloud server and sends a notification to the attacker’s server to signal the discovery.
Although Google and Apple have taken steps to remove most of the identified apps from their stores, users who had previously downloaded them will need to manually uninstall the applications from their devices. It is advised that individuals store their cryptocurrency wallet recovery phrases securely in password managers or applications that offer encrypted note storage, rather than keeping them in screenshots that can be accessed by malicious apps with storage or camera permissions.
