Cybersecurity firm Kaspersky Labs has uncovered a sophisticated malware campaign targeting cryptocurrency users through malicious software development kits (SDKs) embedded in mobile apps on Google Play and the Apple App Store.
These compromised apps use an optical character recognition (OCR) tool to scan users’ photos for crypto wallet recovery phrases, allowing hackers to drain funds from affected wallets.
In a 4 February 2025 report, Kaspersky analysts Sergey Puzan and Dmitry Kalinin detailed how the malware, known as SparkCat, infiltrates devices and searches for images containing recovery phrases using keyword detection across multiple languages.
EXPLORE: 10 Coins with High Returns: Crypto Forecast 2025
Seed Phrases Allow Attackers to Access Crypto Wallets
Once extracted, these phrases grant attackers complete access to victims’ crypto wallets. “The intruders steal recovery phrases for crypto wallets, which are enough to gain full control over the victim’s wallet for further theft of funds,” the researchers wrote.
They also warned that the malware’s flexibility enables it to steal other sensitive data, such as passwords and private messages captured in screenshots.
On Android, the malware disguises itself as a Java-based analytics module called Spark and receives operational updates via an encrypted configuration file stored on GitLab. It employs Google’s ML Kit OCR to extract text from images stored on infected devices.
If a recovery phrase is detected, the malware transmits it to attackers, who can then import the victim’s crypto wallet onto their own devices without needing a password.
Kaspersky estimates that SparkCat has been downloaded approximately 242,000 times since its emergence in March 2023, primarily targeting users in Europe and Asia.
Since mid-2024, we’ve been tracking a sophisticated Android malware campaign that exploits wedding invitations to deceive users into installing a malicious APK—Tria Stealer.
Once installed, this malware intercepts SMS messages, tracks call logs, and steals data from Gmail and… pic.twitter.com/TQbQjHvmjm
— Kaspersky (@kaspersky) February 3, 2025
The malware has been found across dozens of apps—some appearing legitimate, such as food delivery services, while others are suspiciously designed to attract victims, such as messaging apps with AI features.
The infected apps share common characteristics, including the use of Rust programming language, which is uncommon in mobile applications, cross-platform functionality, and obfuscation techniques that make detection difficult.
EXPLORE: 10 Coins with High Returns: Crypto Forecast 2025
Unidentified Origins
Puzan and Kalinin stated that it remains uncertain whether the affected apps were intentionally embedded with the malware by developers or compromised through a supply chain attack.
“Some apps, such as food delivery services, appear legitimate, while others are clearly built to lure victims,” the researchers noted, adding that several similar-looking AI messaging apps were traced back to the same developer.
Although Kaspersky has not attributed SparkCat to any known hacking group, researchers discovered Chinese-language comments and error messages within the malware’s code, leading them to believe that the developer is fluent in Chinese.
The malware bears similarities to a March 2023 campaign discovered by ESET researchers, but its exact origins remain unknown.
Kaspersky urges users to avoid storing sensitive information, such as crypto wallet recovery phrases, in their photo galleries. Instead, they recommend using password managers and regularly scanning for and removing suspicious applications.
EXPLORE: 15 New & Upcoming Coinbase Listings to Watch in 2025
The post Malicious SDKs On Google Play And App Store Steal Crypto Seed Phrases: Kaspersky appeared first on 99Bitcoins.
