Malicious add-ons to legitimate apps<\/h2>\n
Apps containing SparkCat\u2019s malicious components fall into two categories. Some, such as numerous similar messenger apps claiming AI functionality, all from the same developer, were clearly designed as bait. Some others are legitimate apps: food delivery services, news readers, and crypto wallet utilities. We don\u2019t yet know how the Trojan functionality got into these apps. It may have been the result of a supply chain attack<\/a>, where a third-party component used in the app was infected. Alternatively, the developers may have deliberately embedded the Trojan into their apps.<\/p>\n The first app where we detected SparkCat was a food delivery service called ComeCome, available in the UAE and Indonesia. The infected app was found on both Google Play and the App Store<\/p><\/div>\n The stealer analyzes photos in the smartphone\u2019s gallery, and to that end, all infected apps request permission to access it. In many cases, this request seems completely legitimate \u2014 for example, the food delivery app ComeCome requested access for a customer support chat right upon opening this chat, which looked completely natural. Other applications request gallery access when launching their core functionality, which still seems harmless. After all, you do want to be able to share photos in a messenger, right?<\/p>\n However, as soon as the user grants access to specific photos or the entire gallery, the malware starts going through all the photos it can reach, searching for anything valuable.<\/p>\n To find crypto-wallet data among photos of cats and sunsets, the Trojan has a built-in optical character recognition (OCR) module based on the Google ML Kit \u2014 a universal machine-learning library.<\/p>\n Depending on the device\u2019s language settings, SparkCat downloads models trained to detect the relevant script in photos, whether Latin, Korean, Chinese, or Japanese. After recognizing the text in an image, the Trojan checks it against a set of rules loaded from its command-and-control server. In addition to keywords from the list (for example, \u201cMnemonic\u201d), the filter can be triggered by specific patterns such as meaningless letter combinations in backup codes or certain word sequences in seed phrases.<\/p>\n During our analysis, we requested a list of keywords used for OCR searching from the Trojan\u2019s C2 servers. The cybercriminals are clearly interested in phrases used to recover access to crypto wallets \u2014 known as mnemonics<\/p><\/div>\n The Trojan uploads all photos containing potentially valuable text to the attackers\u2019 servers, along with detailed information about the recognized text and the device the image was stolen from.<\/p>\n We identified 10 malicious apps in Google Play, and 11 in the App Store. At the time of publication, all malicious apps had been removed from the stores. The total number of downloads from Google Play alone exceeded 242,000 at the time of analysis, and our telemetry data suggests that the same malware was available from other sites and unofficial app stores, too.<\/p>\n Among the infected apps are popular delivery services and AI-powered messengers in both Google Play and the App Store<\/p><\/div>\n Judging by SparkCat\u2019s dictionaries, it\u2019s \u201ctrained\u201d to steal data from users in many European and Asian countries, and evidence indicates that attacks have been ongoing since at least March 2024. The authors of this malware are likely fluent in Chinese \u2014 more details on this, as well as the technical aspects of SparkCat, can be found in the full report on Securelist<\/a>.<\/p>\n Unfortunately, the age-old advice of \u201conly download highly-rated apps from official app stores\u201d is a silver bullet no longer \u2014 even the App Store has now been infiltrated by a true infostealer, and similar incidents have occurred repeatedly<\/a> in Google Play. Therefore, we need to strengthen the criteria here: only download highly-rated apps with thousands, or better still, millions of downloads, published at least several months ago. Also, verify app links in official sources (such as the developers\u2019 website) to ensure they\u2019re not fake, and read the reviews \u2014 especially negative ones. And, of course, be sure to install a comprehensive security system<\/a>\u00a0on all your smartphones and computers.<\/p>\n Checking negative reviews of the ComeCome app in the App Store could have put users off downloading it<\/p><\/div>\n You should also be extremely cautious<\/a> about granting permissions to new apps. Previously, this was primarily a concern for \u201cAccessibility\u201d settings, but now we see that even granting gallery access can lead to the theft of personal data. If you\u2019re not completely sure about an app\u2019s legitimacy (for example, it\u2019s not an official messenger, but a modified version), don\u2019t grant it full access to all your photos and videos. Grant access only to specific photos when necessary.<\/p>\n Storing documents, passwords, banking data, or photos of seed phrases in your smartphone\u2019s gallery is highly unsafe \u2014 besides stealers such as SparkCat, there\u2019s also always the risk that someone peeks at the photos, or you accidentally upload them to a messenger or file-sharing service. Such information should be stored in a dedicated application. For example, Kaspersky Password Manager<\/a> allows you to securely store and sync not only passwords and two-factor authentication tokens but also banking card details and scanned documents across all your devices \u2014 all in encrypted form. By the way, this app comes with our Kaspersky Plus<\/a> and Kaspersky Premium<\/a> subscriptions.<\/p>\n![\"SparkCat-infected](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/02\/07053218\/ios-android-ocr-stealer-sparkcat-01.png\")
<\/a>AI-powered theft<\/h2>\n
![\"Keywords](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/02\/07053036\/ios-android-ocr-stealer-sparkcat-02.png\")
<\/a>Scale and victims of the attack<\/h2>\n
![\"SparkCat-infected](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/02\/07052910\/ios-android-ocr-stealer-sparkcat-03.png\")
<\/a>How to protect yourself from OCR Trojans<\/h2>\n
![\"Negative](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2025\/02\/07052702\/ios-android-ocr-stealer-sparkcat-04.png\")
<\/a>