Researchers at Kaspersky Lab have uncovered a sophisticated malware campaign called SparkCat that successfully placed data-stealing malware in both Apple’s App Store and Google Play — marking the first publicly documented case of OCR-based data exfiltration malware reaching iOS through Apple’s official distribution channel. The full technical analysis is available on Securelist, Kaspersky’s research blog.
Distribution Strategy and Scale
SparkCat’s operators embedded malicious code inside applications that appeared legitimate — including AI-powered messaging apps, food delivery services, and cryptocurrency tools. The compromised apps passed App Store review and accumulated downloads before being flagged. On Google Play alone, infected applications reached over 242,000 downloads. The geographic distribution at the time of discovery was concentrated in the UAE, Europe, and parts of Asia, though the campaign’s infrastructure suggests readiness for broader deployment.
Technical Analysis: How SparkCat Steals Data
SparkCat’s primary capability is OCR-based image scanning. Upon installation, the malware requests gallery access permissions — a routine request that users commonly grant to messaging or photo-related apps. Once permission is granted, it activates Google ML Kit’s optical character recognition engine to scan images in the device photo library. The malware specifically looks for text matching cryptocurrency wallet seed phrases, which are often stored by users as screenshots. Extracted phrases are exfiltrated to command-and-control servers, giving attackers full control over any associated cryptocurrency wallets.
Attribution and Technical Indicators
Kaspersky researchers identified several indicators pointing to Chinese origin: Chinese-language comments embedded in the Android version’s code, and error messages from the C2 infrastructure in Chinese. However, the researchers explicitly caution that these indicators are insufficient for definitive attribution to a named threat actor. The use of Chinese-language artifacts in malware is sometimes deliberate misdirection.
Users at Risk: Crypto Holders Who Screenshot Seed Phrases and App Gallery Permissions
The following users are at elevated risk:
- iOS users who installed AI messaging, food delivery, or cryptocurrency apps from unfamiliar developers between late 2024 and early 2025
- Anyone who stores cryptocurrency wallet seed phrases or private keys as screenshots in their device gallery
- Users who broadly grant gallery permissions to recently installed apps without reviewing the developer’s reputation
- Android users who installed apps from the same campaign via Google Play
Removing Infected Apps and Protecting Cryptocurrency Wallets After SparkCat
- Review recently installed apps — especially those requesting gallery access — and remove any from unrecognized developers
- Never store cryptocurrency seed phrases, private keys, or two-factor recovery codes as screenshots; use an encrypted password manager or offline hardware wallet instead
- Revoke gallery permissions for apps that do not have a legitimate functional need for photo access (Settings > Privacy & Security > Photos on iOS)
- Check whether your installed apps were flagged — search the Securelist SparkCat report for specific package names and app identifiers
- If your seed phrase may have been exposed, immediately transfer funds to a new wallet generated on a clean device
SparkCat demonstrates that Apple’s App Store review process, while substantially more rigorous than most third-party stores, is not a sufficient security control on its own. Users must apply the same critical evaluation to apps regardless of their source. The campaign also represents a meaningful escalation in mobile malware sophistication — moving beyond credential phishing to automated, AI-assisted data extraction from device storage.
