SparkCat infiltrates mobile devices by hiding within apps downloaded from the App Store or Google Play. Once installed, the malicious app requests access to photos under a seemingly legitimate pretext, such as image customization or media file sharing. As soon as permission is granted, it discreetly scans the folder where users’ screenshots are stored.
The image analysis then begins. SparkCat uses Optical Character Recognition (OCR) to identify sensitive elements, primarily cryptocurrency wallet recovery phrases, but also login credentials and authentication codes. The extracted data is then sent to a remote server controlled by cybercriminals, allowing them to access victims’ financial accounts and drain them.
But the malware doesn’t stop there. By exploiting granted permissions, it intercepts SMS messages and notifications, retrieving two-factor authentication codes. This allows it to bypass security measures put in place by victims and gain access to protected accounts. To ensure its persistence, SparkCat employs advanced obfuscation techniques, making it difficult to detect and remove.
SparkCat is particularly insidious because it turns legitimate applications into infection vectors. It has spread through official stores by integrating into legitimate applications that provide popular services, such as AI assistants, food delivery apps, and cryptocurrency wallets.
The malware injection occurs through SDKs and frameworks, which are often integrated by developers unaware of their malicious nature, thereby compromising the security of their applications and end users.
On Android, the malicious SDK includes a Java component named Spark, disguised as a data analysis module. On iOS, it appears under various names, including Gzip, googleappsdk, or stat. Malicious applications identified include WeTink, AnyGPT, and ComeCome.
To counter SparkCat, follow these security best practices: