• by Laurie Sullivan , Staff Writer, February 11, 2025

Apple and Google have pulled apps from their app stores after security researchers found them carrying data-stealing malware for nearly one year.

The mobile app market is substantial. AppLovin forecasts the mobile app market will see significant growth in the next two years, with global mobile app downloads reaching 181 billion and consumer spending projected to hit $233 billion by 2026.

Security researchers at Kaspersky described the malware, SparkCat, as a data-stealing Trojan found to be active in Apple's AppStore and Google Play. They believe it has been floating around the app stores since at least March 2024.

SparkCat uses machine learning to scan image galleries and steal screenshots containing cryptocurrency wallet recovery phrases. It can also find and extract other sensitive data in images, such as passwords. 

There have been more than 242,000 downloads of infected apps from Google Play alone. 

This is the first known instance of optical recognition-based malware appearing in AppStore.

The malware has infected legitimate apps as well as lures, an app that features interactive chat stories told in the form of text messages.

The researchers did not describe how this type of Trojan would affect ads inside the apps. 

Some of these apps are available on official platforms in Google Play and AppStore. Kaspersky telemetry data also shows that infected versions are being distributed through other unofficial sources, according to the security firm's blog post. 

The malware primarily targets users in the United Arab Emirates and countries in Europe and Asia. SparkCat scans image galleries for keywords in multiple languages, including Chinese, Japanese, Korean, English, Czech, French, Italian, Polish, and Portuguese. Experts believe victims could be from other countries as well.

Researchers describe the onCreate method in the application’s entry points had been overridden in version 2.0.0.

The method initializes an SDK component named “Spark.” The team had to statically “deobfuscated” it, which requires making code that has been intentionally obscured easier to understand before analyzing it.

Beyond stealing recovery phrases, the malware is capable of extracting other personal information from screenshots, such as messages and passwords."

“The SparkCat campaign has some unique features that make it dangerous. First of all, it spreads through official app stores and operates without obvious signs of infection.

"The stealthiness of this Trojan makes it hard to discover it for both store moderators and mobile users,” Dmitry Kalinin, malware analyst at Kaspersky, wrote in a blog post. “The permissions it requests seem reasonable, making them easy to overlook. Access to the gallery that the malware attempts to reach may seem essential for the app to function properly, as it appears from the user perspective.”

Kalinin added that this permission is typically requested in relevant contexts, such as when users contact customer support.”

Analyzing Android versions of the malware, Kaspersky experts found comments in the code written in Chinese. The iOS version contained the developer home directory names “qiongwu” and “quiwengjing.”