Kaspersky discovers new SparkCat variant bypassing App Store and Google Play security

The new version of SparkCat is distributed through infected legitimate apps — messengers designed for enterprise communication and a food delivery app. Kaspersky experts found two infected apps on the App Store and one on Google Play, from which the malicious code has since been removed. Kaspersky telemetry shows that the apps infected with SparkCat are also distributed through third-party sources. A few of these web pages are mimicking the App Store if opened from an iPhone.

The updated variant of the Trojan for Android scans image galleries on the compromised devices for screenshots containing specific keywords in Japanese, Korean and Chinese, leading Kaspersky experts to assess that this campaign primarily targets cryptocurrency assets of users in Asia. The iOS variant, however, takes a different approach as it scans for cryptocurrency wallet mnemonic phrases, which are in English. This makes the iOS variant potentially broader in reach, as it can affect users regardless of their region. 

The updated SparkCat version for Android features multiple obfuscation layers compared to previous versions, including code virtualization and cross-platform programming language usage — techniques that are rare for mobile malware.

Kaspersky has reported known malicious applications to Google and Apple.

“The updated variant of SparkCat requests access to view photos in a user’s smartphone gallery in certain scenarios — just like the very first version of the Trojan. It analyzes the text in stored images using an optical character recognition module. If the stealer finds relevant keywords, it sends the image to the attackers. Considering the similarities of the current sample and the previous one, we believe that the developers of the new version of malware are the same. This campaign again underscores the importance of using security solutions for smartphones to stay protect against a broad range of cyberthreats,” said Sergey Puzan, cybersecurity expert at Kaspersky.   

“The SparkCat malware is an evolving mobile threat. Threat actors behind it constantly raise the complexity of the anti-analysis techniques allowing it to bypass the review process of the official app stores. Moreover, methods used by the SparkCat developers, such as code virtualization and cross-platform programming language usage, are rare for mobile malware. This demonstrates the high skill of the threat actors,” added Dmitry Kalinin, cybersecurity expert at Kaspersky.

This threat is detected by Kaspersky products with the following verdicts: HEUR:Trojan.AndroidOS.SparkCat.*, HEUR:Trojan.IphoneOS.SparkCat.*

To avoid becoming a victim of this malware, Kaspersky recommends the following safety measures:

• Use reliable cybersecurity software, like Kaspersky for Mobile — it can protect your data on smartphones from cyberattacks. Kaspersky for Android will prevent installation of the malware, while Kaspersky for iOS, due to the architectural characteristics of Apple’s OS, prevents an attempt to connect to the attackers’ command server and displays a warning to users. 
• Avoid storing screenshots containing sensitive information in your gallery, especially cryptocurrency wallet seed phrases. Such sensitive information as well as screenshots of important documents should be stored in specialized applications such as Kaspersky Password Manager.
• Be careful even downloading apps from official stores, as it is not always risk-free.

About Kaspersky Threat Research
The Threat Research team is a leading authority in protecting against cyberthreats. By actively engaging in both threat analysis and technology creation, our TR experts ensure that Kaspersky’s cybersecurity solutions are deeply informed and exceptionally potent, providing critical threat intelligence and robust security to our clients and the broader community.