Cryptocurrency users face a new breed of threat that bypasses traditional security boundaries by operating directly inside trusted mobile application stores. Kaspersky researchers revealed the SparkCat malware campaign, a sophisticated operation that embedded malicious SDKs inside apps available on both Google Play and Apple’s App Store, marking the first time a crypto-stealing malware was discovered in Apple’s official marketplace. The campaign uses optical character recognition technology to scan device photo galleries for cryptocurrency wallet recovery phrases, turning a common user habit into a critical vulnerability.
The Exploit Mechanics
SparkCat operates through a multi-stage infection chain that begins with legitimate-looking applications distributed through official app stores. The initial vector was a food delivery app called ComeCome, available in the UAE and Indonesia, which had been downloaded more than 10,000 times from Google Play. Once installed, the application initializes a hidden SDK component called Spark, which was heavily obfuscated to evade static analysis by app store reviewers.
Upon activation, the Spark SDK retrieves a JSON configuration file from a GitLab URL hardcoded in the malware body. This configuration is decrypted using AES-128 in CBC mode with embedded keys. The decrypted configuration contains command-and-control server addresses, including both HTTP endpoints and a custom protocol implemented in Rust communicating over port 18883. The use of Rust for the C2 protocol is highly unusual for mobile malware and suggests a sophisticated development team with systems programming expertise.
The critical attack phase leverages Google’s own ML Kit library for OCR processing. After receiving keyword lists from the C2 server, the malware systematically scans every image in the victim’s photo gallery. When the OCR engine detects text matching patterns associated with cryptocurrency recovery phrases—typically 12 or 24 words from standard BIP-39 wordlists—the matching images are encrypted using AES-256 in CBC mode and exfiltrated to the attacker’s server. The entire process runs silently in the background without any visible indicators to the device owner.
Affected Systems
The scope of SparkCat extends across both major mobile platforms. On Android, researchers identified multiple infected applications in Google Play with a combined download count exceeding 242,000 installations. The Android variant operates as a Java-based SDK that decrypts and launches the OCR plugin at runtime, effectively hiding its true capabilities from initial code review.
The iOS variant follows a similar architectural pattern, also relying on Google’s ML Kit for OCR functionality despite running on Apple’s more restricted ecosystem. This cross-platform capability demonstrates the threat actor’s significant investment in development resources. Both variants have been active since at least March 2024, based on timestamps found in malware files and GitLab repository creation dates, meaning the campaign operated undetected for approximately ten months before discovery.
With Bitcoin trading around $96,600 and Ethereum near $2,675 on the date of disclosure, a single compromised recovery phrase could expose wallets containing substantial value. The malware affects any cryptocurrency wallet that stores or displays recovery phrases as screenshots or photographs, which includes virtually every major wallet application including MetaMask, Trust Wallet, Phantom, and hardware wallet companion apps.
The Mitigation Strategy
Google removed the identified malicious applications from Google Play on February 7, 2025, followed by Apple’s removal from the App Store on February 6, 2025. However, these removals only prevent new installations and do not eliminate the malware from devices that already downloaded the infected apps. Users must manually identify and uninstall any applications associated with the SparkCat campaign.
The fundamental mitigation requires a behavioral change: cryptocurrency users should never photograph or screenshot their recovery phrases. The entire attack chain depends on the presence of wallet recovery phrase images in the device’s photo gallery. Hardware wallets that never expose recovery phrases on internet-connected devices provide the strongest defense against this class of attack.
Additional defensive measures include enabling app-level photo access restrictions on both iOS and Android, which prevents individual applications from accessing the full photo library without explicit permission. Security researchers also recommend using dedicated devices or secure note applications with encryption for storing recovery phrase information rather than the default photo gallery.
Lessons Learned
The SparkCat campaign exposes critical weaknesses in app store review processes across both major platforms. Apple’s notoriously strict app review failed to detect a malware campaign that had been operational for nearly a year. The use of legitimate frameworks like Google’s ML Kit for malicious purposes demonstrates how attackers can weaponize trusted development tools to bypass security controls.
The Rust-based C2 protocol represents an evolution in mobile malware sophistication. Most mobile malware relies on standard HTTP communication that is relatively easy to detect and block through network monitoring. By implementing a custom protocol in Rust, the SparkCat operators made their network traffic significantly harder to distinguish from legitimate application activity.
User Action Required
Anyone who has downloaded food delivery, messaging, or utility apps from Google Play or the Apple App Store between March 2024 and February 2025 should audit their installed applications and delete any screenshots or photographs containing wallet recovery phrases immediately. Users should also review their wallet transaction history for unauthorized transfers and consider migrating funds to new wallets with freshly generated recovery phrases that have never been photographed or stored on a mobile device.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified cybersecurity professionals for specific security concerns.
ocr scanning your gallery for seed phrases is genuinely evil. the ComeCome app had 10k downloads before anyone noticed
been telling people for years. paper only, no screenshots, no cloud backups. this is exactly why
using OCR to scan photo galleries for seed phrases is next level malicious. the attack surface of a simple screenshot habit is terrifying
First time crypto malware made it into Apple App Store. That should worry every iOS user holding crypto.
first time in the apple app store too. if it happened once itll happen again. the review process clearly cant catch obfuscated SDKs reliably
obfuscated SDKs are nearly impossible to catch in automated review. apple needs to do runtime analysis not just static checks
metal plate, fireproof bag, done. no digital copies of seed phrases ever. one simple rule that eliminates this entire attack vector
metal plate backup is cheap insurance. $20 on amazon vs losing your entire stack to a food delivery app scanning your gallery