App Store Malware Scans Your Photos to Steal Crypto Wallets

How the OCR Scanning Works

SparkCat does not steal your photos directly. Instead, it reads them. The malware uses Google's ML Kit library to perform optical character recognition (OCR) on every image in your gallery, looking for specific patterns that match cryptocurrency wallet recovery phrases.

When you create a cryptocurrency wallet, you receive a recovery phrase, typically 12 or 24 random words that serve as the master key to your funds. Many people photograph this phrase for safekeeping. SparkCat exploits exactly this habit.

The malware uses three specialized text processors to filter what it finds:

• KeywordsProcessor: Searches for financial terminology across multiple languages, including words like "mnemonic," "seed phrase," and their equivalents in Chinese, Korean, Japanese, French, Italian, Portuguese, and Czech
• DictProcessor: Uses encrypted, localized dictionaries stored within the app to match region specific terminology
• WordNumProcessor: Filters results by word count and length, targeting the 12 or 24 word patterns characteristic of BIP-39 recovery phrases

When a match is found, the image is uploaded to Amazon S3 storage or directly to the attackers' servers. The victim never sees any indication that their photo was sent anywhere.

How It Bypassed Apple and Google Review

SparkCat operates as a malicious software development kit (SDK) embedded within otherwise functional apps. The apps themselves work as advertised, which is why they passed app store review. The malicious behavior only activates after the user grants photo gallery access, a permission that seems reasonable for a messaging or food delivery app.

The Android version uses a native Rust library for its command and control communication, an unusual choice that makes analysis more difficult for automated review systems. The iOS variant is obfuscated with HikariLLVM, a tool that transforms code to resist reverse engineering. Configuration data is downloaded from GitLab URLs after installation and decrypted using AES-128, meaning the malicious payload is not present in the app binary that Apple and Google review.

The C2 communication itself uses multiple layers of encryption: HTTP with AES-256, and a custom Rust protocol employing AES-GCM-SIV with RSA encrypted key exchange. Data is compressed with ZSTD before encryption, making network traffic analysis nearly impossible.

Who Is Targeted

The keyword lists embedded in the malware reveal the targeting strategy. The Android variant primarily targets users in Asia, scanning for recovery phrases in Japanese, Korean, and Chinese. The iOS variant takes a broader approach, scanning for English language phrases, which makes it potentially global in reach.

Infected apps included a food delivery service called ComeCome, along with various messaging, payment, and entertainment apps. Some of these apps supported user registration across the UAE, Kazakhstan, China, Indonesia, and Zimbabwe, suggesting a wide geographic footprint.

But this is not just a cryptocurrency problem. The same OCR technique could be adapted to scan for any text in your photos: passwords, banking details, personal documents, or private messages you have screenshotted. SparkCat demonstrates that photo gallery access is a far more powerful permission than most people realize.

What You Should Do

Whether or not you use cryptocurrency, the SparkCat campaign highlights several practical steps everyone should take:

• Audit app permissions: Review which apps have access to your photo gallery. Revoke access from apps that do not genuinely need it.
• Never photograph sensitive credentials. If you have recovery phrases, passwords, or security codes saved as photos, delete them and store those credentials in a dedicated password manager or offline on paper in a secure location.
• Remove unfamiliar apps. If you installed a messaging or delivery app you rarely use, especially one outside the major brands, uninstall it and check your photo gallery access logs.
• Keep devices updated. Both Apple and Google have removed known SparkCat infected apps, but updates ensure you have the latest protections against variants.
• Watch for unusual data usage. Uploading photos to a remote server consumes data. Unexplained spikes in background data usage from an app can be a red flag.

The Bigger Picture

SparkCat is the first documented OCR based stealer to appear on both the Apple App Store and Google Play Store. The fact that it has been active since at least March 2024 and continues to evolve with new variants over two years later shows that app store review processes, while generally effective, can be circumvented by patient attackers who separate their malicious logic from the initial app binary.

The technique of scanning photos for text is not limited to cryptocurrency theft. The same approach could target passwords stored in screenshots, banking notifications, medical records, private conversations, or anything else people save to their camera roll. The Android malware that reads your notes app to find stored passwords uses a similar strategy on a different data source.

Your phone's photo gallery is not a vault. It is a searchable database of everything you have ever found important enough to capture, and malware like SparkCat treats it exactly that way.