A newly discovered Trojan called SparkCat has been found in AppStore and Google Play, using optical character recognition (OCR) to steal sensitive information from user images. Cybersecurity solutions provider Kaspersky identified the malware as SparkCat, which has been active since at least March 2024.
SparkCat malware spreads through legitimate and fake apps, including messaging platforms, AI assistants, food delivery services, and crypto-related applications. Some infected apps were available in official stores, while others circulated through unofficial sources. Kaspersky noted that over 242,000 downloads of infected Android apps have been recorded on Google Play.
“This is the first known case of OCR-based Trojan to sneak into AppStore,” Sergey Puzan, malware analyst at Kaspersky, said in a media advisory. “In terms of both AppStore and Google Play, at the moment it’s unclear whether applications in these stores were compromised through a supply chain attack or through various other methods. Some apps, like food delivery services, appear legitimate, while others are clearly designed as lures.”
The malware, according to Kaspersky, searches image galleries for cryptocurrency wallet recovery phrases and other private details, including passwords.
SparkCat primarily targets users in the United Arab Emirates (UAE), Europe, and Asia. It scans images for keywords in multiple languages, including Chinese, Japanese, Korean, English, Czech, French, Italian, Polish, and Portuguese. However, Kaspersky researchers believe the malware could affect users in other regions as well.
Extracting private information
Once installed, SparkCat requests permission to access a user’s photo gallery. It then uses OCR to scan images for specific phrases related to cryptocurrency wallets. If it detects valuable data, it sends the images to attackers, who can use the information to access and drain the victim’s funds. In addition to wallet recovery phrases, SparkCat can extract other private information, such as passwords and messages.
Kaspersky experts found comments in SparkCat’s Android code written in Chinese, while the iOS version contained developer directory names “qiongwu” and “quiwengjing.” Although this suggests the malware creators are fluent in Chinese, there is no clear connection to a known cybercriminal group.
Kaspersky noted that the SparkCat campaign has some unique features that make it dangerous. It spreads through official app stores and operates without obvious signs of infection. The stealthiness of this Trojan makes it hard to discover it for both store moderators and mobile users. Also, the permissions it requests seem reasonable, making them easy to overlook. Access to the gallery that the malware attempts to reach may seem essential for the app to function properly, as it appears from the user perspective. This permission is typically requested in relevant contexts, such as when users contact customer support.
SparkCat’s Android module decrypts and runs an OCR plugin using Google’s ML Kit to recognize text in images. The iOS version uses a similar method.
Kaspersky has reported the malware to Google and Apple.