Crypto wallets at risk as malware sneaks into the App Store

A newly discovered malware campaign is stealing cryptocurrency from iOS by exploiting vulnerabilities in apps available on the App Store.

Kaspersky researchers have discovered a malicious software development kit (SDK) called SparkCat hidden inside multiple apps on both iOS and Android. SparkCat is designed to steal cryptocurrency wallet recovery phrases using optical character recognition (OCR), allowing attackers to access and drain funds remotely.

Kaspersky has shared a list of MD5 hashes linked to the malicious SparkCat SDK, as well as BundleIDs for iOS apps. However, the company hasn't revealed the full list of infected apps, leaving users in the dark about whether they've installed one.

While some, like ChatAi, have been identified, many remain unnamed, raising concerns that malware could still be lurking on users' devices.

The infected apps on Google Play had over 242,000 downloads, and SparkCat appears to be the first documented instance of crypto-stealing malware slipping through Apple's App Store review process. It was initially found in a food delivery app called ComeCome, which was available in the UAE and Indonesia.

Suspicious SDK being called. Image credit: Kaspersky

Researchers determined the malware has been active since at least March 2024, scanning users' photo galleries for wallet recovery phrases and secretly uploading them to an attacker-controlled command-and-control (C2) server.

Unlike past malware that primarily spread through unofficial sources, SparkCat managed to slip into legitimate app stores, making it a more serious threat. It also communicates with attackers using a custom protocol built in Rust, an uncommon programming language for mobile apps.

Some of the infected apps seemed legitimate, like food delivery and AI-powered messaging apps, while others were likely created to bait users.

Apple has pulled the 11 iOS apps mentioned in Kaspersky's report from the App Store. The company also found that these apps share code signatures with 89 others that were previously rejected or removed for fraud violations. The developers behind them have already had their accounts shut down.

Importantly, Apple users can decide if third-party apps can access sensitive data like Photos and other Apple services. When an app requests information from another app for the first time, a prompt appears explaining why. Users can change these permissions any time in Settings.

How to protect your crypto assets

Like SparkCat, some malware strains also use OCR to extract text from images. Storing a recovery phrase as a screenshot or photo makes it an easy target for automated scanning tools used by attackers.

Check your installed apps regularly and delete anything that looks unfamiliar or unnecessary. Using a reputable mobile security app can help catch potential threats before they become a problem.

Searching for keywords among OCR image processing results. Image credit: Kaspersky

And if you think your wallet might be compromised, transfer your funds to a new one with a fresh recovery phrase, but only after making sure your device is clean.

That means deleting any suspicious apps, especially those flagged in security reports. It's also a good idea to reset app permissions and clear cached data to remove any lingering threats.

Before restoring from a backup, ensure it doesn't include any infected apps, as reintroducing malware is a common risk. After resetting, only reinstall essential apps from trusted sources to minimize risk.