Apple and Google have removed 20 malicious applications from their respective app stores following the discovery of “SparkCat,” a sophisticated malware capable of stealing sensitive data, including cryptocurrency recovery phrases. The security threat remained active for nearly a year before coordinated takedowns were initiated.
The SparkCat Threat: How It Operates
Security researchers at Kaspersky identified the malware in March 2024. Initially detected within a food delivery application targeting users in the United Arab Emirates and Indonesia, the infection eventually spread to 19 other unrelated apps. These compromised utilities amassed over 242,000 downloads through the Google Play Store alone.
The malware utilizes optical character recognition (OCR) technology to scan image galleries on infected devices. By searching for specific keywords, the malicious framework identifies recovery phrases for cryptocurrency wallets in multiple languages, including English, Chinese, Japanese, and Korean. Once these phrases are extracted, attackers can seize full control of a victim’s wallet and drain their assets.
Data Exposure and Security Failures
Beyond cryptocurrency theft, the SparkCat malware poses a severe risk to general privacy. Researchers discovered that the code is capable of extracting personal information—such as passwords and private messages—directly from screenshots stored on the device.
Takedowns and Ongoing Risks
Following the disclosure of the report, Apple removed the compromised applications from the App Store last week, with Google following suit shortly after. A spokesperson for Google, Ed Fernandez, confirmed that all identified apps were purged from the Play Store and the associated developers have been banned from the platform. Google also noted that its Play Protect security feature provides ongoing protection against known iterations of this threat.
Apple has not issued a formal statement regarding the incident. Despite the removal from official channels, security experts warn that the danger is not fully neutralized. Kaspersky has indicated that telemetry data shows the malware remains available through unofficial app stores and third-party websites, necessitating continued vigilance from mobile users.