Password & Crypto-Stealing Trojan Targets UAE Users Via App Stores

Researchers at Kaspersky have identified a Trojan lurking in both the App Store and Google Play since at least March 2024. The malware is known as SparkCat, and it uses optical recognition to scan image galleries, stealing sensitive data like crypto wallet recovery phrases and passwords from user’s screenshots and photos.

How SparkCat Spreads

The malware is being distributed through both infected legitimate apps and cleverly disguised lures. These include messaging apps, AI assistants, food delivery services, and crypto-related applications. Some of the compromised apps have made their way into Google Play and the App Store, while others are circulating through unofficial sources.

Who’s At Risk?

Worryingly for our readers, the primary targets appear to be users in the United Arab Emirates. However, various countries in Europe and Asia have also been targeted, as SparkCat’s optical scanning can detect multiple languages.

How It Works

Once installed, SparkCat may request permission to access a user’s photo gallery. From there, it uses an optical character recognition (OCR) module to scan stored images for relevant keywords. If it detects sensitive data — particularly screenshots of recovery phrases for cryptocurrency wallets — it transmits the images to attackers. With this information, hackers can gain full access to a victim’s funds.

Who’s Behind It?

An analysis of the Android version of SparkCat revealed code comments written in Chinese, while the iOS variant included home directory names like qiongwu and quiwengjing. While these clues suggest a Chinese-speaking threat actor, there isn’t enough evidence to link the software to any known cybercriminal groups.

Sergey Puzan, a malware analyst at Kaspersky, noted, “This is the first known case of OCR-based Trojan to sneak into AppStore. In terms of both AppStore and Google Play, at the moment it’s unclear whether applications in these stores were compromised through a supply chain attack or through various other methods. Some apps, like food delivery services, appear legitimate, while others are clearly designed as lures”.

How To Protect Yourself

To minimize the risk of infection, Kaspersky recommends taking the following precautions:

• If you’ve installed an affected app, delete it immediately and avoid using it until a safe update is available.
• Avoid saving screenshots that contain sensitive information, such as crypto wallet recovery phrases. Instead, use secure password managers.
• Consider using reputable cybersecurity solutions like Kaspersky Premium to safeguard against malware threats.

As and mobile malware tactics evolve, staying cautious with app downloads and maintaining strong security practices can go a long way in keeping your data safe.