Kaspersky Labs, a cybersecurity firm, warned that malicious software development kits (SDKs) found in applications on Google’s Play Store and Apple’s App Store are scanning users' photos to locate and steal cryptocurrency wallet recovery phrases.

According to CoinTelegraph, the malware, named SparkCat, uses optical character recognition (OCR) to search for specific keywords in images across various languages, enabling cybercriminals to access and drain funds from crypto wallets.

According to Kaspersky analysts Sergey Puzan and Dmitry Kalinin, SparkCat is capable of extracting not only wallet recovery phrases but also other personal data from a device's photo gallery, such as passwords and message content. This flexibility poses a significant threat to users' digital security.

The analysts discovered that the malware operates on Android apps through a Java component called Spark, which masquerades as an analytics module, and employs an encrypted configuration file hosted on GitLab for receiving commands.

Kaspersky's research indicates that the malware has been downloaded approximately 242,000 times since its activation around March, targeting mainly Android and iOS users in Europe and Asia. The malware is present in a variety of legitimate-looking and fake apps, sharing common features like the use of the Rust programming language, cross-platform functionality, and sophisticated obfuscation techniques that hinder analysis and detection efforts.

The true origin of SparkCat remains uncertain, as it is not yet clear whether the infected apps were compromised through a supply chain attack or if developers intentionally incorporated the Trojan. However, Puzan and Kalinin found evidence within the malware's code, such as comments and error descriptions in Chinese, suggesting that the developer might be fluent in Chinese. This discovery follows a similar campaign identified by ESET researchers in March 2023.

In light of these findings, Kaspersky's analysts have advised users to avoid storing sensitive information in screenshots or a phone's picture gallery and to use a password manager instead. They also recommend promptly removing any apps that appear suspicious or infected. At the time of reporting, neither Google (NASDAQ: GOOGL ) nor Apple (NASDAQ: AAPL ) had provided an official response to the situation.

This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.