A newly discovered malware campaign is stealing cryptocurrency from iOS by exploiting vulnerabilities in apps available on the App Store.
Kaspersky researchers have discovered a malicious software development kit (SDK) called SparkCat hidden inside multiple apps on both iOS and Android. SparkCat is designed to steal cryptocurrency wallet recovery phrases using optical character recognition (OCR), allowing attackers to access and drain funds remotely.
Kaspersky has shared a list of MD5 hashes linked to the malicious SparkCat SDK, as well as BundleIDs for iOS apps. However, the company hasn’t revealed the full list of infected apps, leaving users in the dark about whether they’ve installed one.
While some, like ChatAi, have been identified, many remain unnamed, raising concerns that malware could still be lurking on users’ devices.
The infected apps on Google Play had over 242,000 downloads, and SparkCat appears to be the first documented instance of crypto-stealing malware slipping through Apple’s App Store review process. It was initially found in a food delivery app called ComeCome, which was available in the UAE and Indonesia.
Researchers determined the malware has been active since at least March 2024, scanning users’ photo galleries for wallet recovery phrases and secretly uploading them to an attacker-controlled command-and-control (C2) server.
Unlike past malware that primarily spread through unofficial sources, SparkCat managed to slip into legitimate app stores, making it a more serious threat. It also communicates with attackers using a custom protocol built in Rust, an uncommon programming language for mobile apps.
Some of the infected apps seemed legitimate, like food delivery and AI-powered messaging apps, while others were likely created to bait users.
While Apple and Google have removed most affected apps, security researchers warn that some may still be available through sideloading or third-party sources. Anyone who downloaded these apps should delete them immediately and check their crypto wallets for any signs of unauthorized access.
How to protect your crypto assets
Like SparkCat, some malware strains also use OCR to extract text from images. Storing a recovery phrase as a screenshot or photo makes it an easy target for automated scanning tools used by attackers.
Check your installed apps regularly and delete anything that looks unfamiliar or unnecessary. Using a reputable mobile security app can help catch potential threats before they become a problem.
And if you think your wallet might be compromised, transfer your funds to a new one with a fresh recovery phrase, but only after making sure your device is clean.
That means deleting any suspicious apps, especially those flagged in security reports. It’s also a good idea to reset app permissions and clear cached data to remove any lingering threats.
Before restoring from a backup, ensure it doesn’t include any infected apps, as reintroducing malware is a common risk. After resetting, only reinstall essential apps from trusted sources to minimize risk.
