Altcoins

Malicious SDKs On Google Play And App Store Steal Crypto Seed Phrases: Kaspersky

By Ruholamin Haqshanas

Last Updated: Feb 5, 2025

Fact checked

By Akriti Seth

Malicious SDKs on Google Play and App Store Steal Crypto Seed Phrases: Kaspersky

Cybersecurity firm Kaspersky Labs has uncovered a sophisticated malware campaign targeting cryptocurrency users through malicious software development kits (SDKs) embedded in mobile apps on Google Play and the Apple App Store.

These compromised apps use an optical character recognition (OCR) tool to scan users’ photos for crypto wallet recovery phrases, allowing hackers to drain funds from affected wallets.

In a 4 February 2025 report, Kaspersky analysts Sergey Puzan and Dmitry Kalinin detailed how the malware, known as SparkCat, infiltrates devices and searches for images containing recovery phrases using keyword detection across multiple languages.

EXPLORE: 10 Coins with High Returns: Crypto Forecast 2025

Seed Phrases Allow Attackers to Access Crypto Wallets

Once extracted, these phrases grant attackers complete access to victims’ crypto wallets. “The intruders steal recovery phrases for crypto wallets, which are enough to gain full control over the victim’s wallet for further theft of funds,” the researchers wrote.

They also warned that the malware’s flexibility enables it to steal other sensitive data, such as passwords and private messages captured in screenshots.

On Android, the malware disguises itself as a Java-based analytics module called Spark and receives operational updates via an encrypted configuration file stored on GitLab. It employs Google’s ML Kit OCR to extract text from images stored on infected devices.

If a recovery phrase is detected, the malware transmits it to attackers, who can then import the victim’s crypto wallet onto their own devices without needing a password.

Kaspersky estimates that SparkCat has been downloaded approximately 242,000 times since its emergence in March 2023, primarily targeting users in Europe and Asia.

The malware has been found across dozens of apps—some appearing legitimate, such as food delivery services, while others are suspiciously designed to attract victims, such as messaging apps with AI features.

The infected apps share common characteristics, including the use of Rust programming language, which is uncommon in mobile applications, cross-platform functionality, and obfuscation techniques that make detection difficult.

EXPLORE: 10 Coins with High Returns: Crypto Forecast 2025

Unidentified Origins

Puzan and Kalinin stated that it remains uncertain whether the affected apps were intentionally embedded with the malware by developers or compromised through a supply chain attack.

“Some apps, such as food delivery services, appear legitimate, while others are clearly built to lure victims,” the researchers noted, adding that several similar-looking AI messaging apps were traced back to the same developer.

Although Kaspersky has not attributed SparkCat to any known hacking group, researchers discovered Chinese-language comments and error messages within the malware’s code, leading them to believe that the developer is fluent in Chinese.

The malware bears similarities to a March 2023 campaign discovered by ESET researchers, but its exact origins remain unknown.

Kaspersky urges users to avoid storing sensitive information, such as crypto wallet recovery phrases, in their photo galleries. Instead, they recommend using password managers and regularly scanning for and removing suspicious applications.

EXPLORE: 15 New & Upcoming Coinbase Listings to Watch in 2025

Free Bitcoin Crash Course

  • Enjoyed by over 100,000 students.
  • One email a day, 7 days in a row.
  • Short and educational, guaranteed!

Why you can trust 99Bitcoins

10+ Years

Established in 2013, 99Bitcoin’s team members have been crypto experts since Bitcoin’s Early days.

90hr+

Weekly Research

100k+

Monthly readers

50+

Expert contributors

2000+

Crypto Projects Reviewed

Google News Icon
Follow 99Bitcoins on your Google News Feed
Get the latest updates, trends, and insights delivered straight to your fingertips. Subscribe now!
Subscribe now
Disclaimer Icon
Disclaimer

Crypto is a high-risk asset class. This article is provided for informational purposes and does not constitute investment advice. You could lose all of your capital.

Ruholamin Haqshanas
Ruholamin Haqshanas
Crypto Journalist

Ruholamin Haqshanas is an accomplished crypto and finance journalist with over three years of experience. He has been featured in various high-profile outlets, including Cryptonews.com, Investing.com, 24/7 Wall St, and Business2Community. Read More

Back to top