.jpg)
A Sophisticated Malware That Exploits Screenshots
SparkCat infiltrates mobile devices by hiding within apps downloaded from the App Store or Google Play. Once installed, the malicious app requests access to photos under a seemingly legitimate pretext, such as image customization or media file sharing. As soon as permission is granted, it discreetly scans the folder where users’ screenshots are stored.
The image analysis then begins. SparkCat uses Optical Character Recognition (OCR) to identify sensitive elements, primarily cryptocurrency wallet recovery phrases, but also login credentials and authentication codes. The extracted data is then sent to a remote server controlled by cybercriminals, allowing them to access victims’ financial accounts and drain them.
But the malware doesn’t stop there. By exploiting granted permissions, it intercepts SMS messages and notifications, retrieving two-factor authentication codes. This allows it to bypass security measures put in place by victims and gain access to protected accounts. To ensure its persistence, SparkCat employs advanced obfuscation techniques, making it difficult to detect and remove.
Compromised Applications on Official Stores
SparkCat is particularly insidious because it turns legitimate applications into infection vectors. It has spread through official stores by integrating into legitimate applications that provide popular services, such as AI assistants, food delivery apps, and cryptocurrency wallets.
The malware injection occurs through SDKs and frameworks, which are often integrated by developers unaware of their malicious nature, thereby compromising the security of their applications and end users.
On Android, the malicious SDK includes a Java component named Spark, disguised as a data analysis module. On iOS, it appears under various names, including Gzip, googleappsdk, or stat. Malicious applications identified include WeTink, AnyGPT, and ComeCome.
How to Protect Yourself Against This Malware?
To counter SparkCat, follow these security best practices:
- Restrict permissions: Limit access to sensitive resources, such as the photo gallery, only to strictly necessary applications.
- Monitor app permissions: Regularly audit the access granted to applications and revoke those that seem unjustified or do not comply with the company’s security policies.
- Deploy an advanced mobile security solution: Pradeo Mobile Threat Defense (MTD) provides unmatched accuracy in analyzing app behavior. It detects not only when an application attempts to access stored files but also when it exfiltrates data to a remote server. Thanks to this precise detection capability, applications containing SparkCat are automatically blocked by Pradeo, preventing any sensitive data leakage before it can occur.
.jpg?height=100&name=1711636314862%20(1).jpg)
