Thought Leadership
Kaspersky experts have discovered a new Trojan hidden in apps in the AppStore and Google Play that has been active since at least March 2024.
The data stealer ‘SparkCat’ is targeting passwords and recovery phrases for crypto wallets, which it extracts from users’ screenshots using optical character recognition (OCR).
The malware is hidden in messenger apps such as WeTink or AI apps such as AnyGPT or ChatAI, among others; it has been downloaded over 242,000 times via Google Play alone. Users from Europe, Asia and the United Arab Emirates are affected. Kaspersky has already reported the discoveries to Google and Apple.
How does ‘SparkCat’ work?
Once installed, the malware often requests access to the photos in a user’s smartphone gallery. It then analyzes the text in the stored images using an OCR module and sends photos to the attackers if relevant keywords are recognized. Of particular interest to hackers: recovery phrases for cryptocurrency wallets. This is because they can use this information to gain complete control over a victim’s wallet and steal funds.
Recommendations for protection against ‘SparkCat’
- If an infected app is installed, remove it and only download it again once an update has been released.
- Do not save any screenshots on your smartphone that contain sensitive information such as recovery phrases for crypto wallets. Password managers are recommended for storing passwords.
- A reliable security solution should be used to protect against malware infections.
(Kaspersky)
