‘SparkCat’ Rust Malware Targets Crypto Wallets via Google Play and Apple App Store

• The relatively new SparkCat crypto-stealer shows cross-platform compatibility and advanced obfuscation.
• The malicious apps are written in the Rust programming language, enhancing sophistication.
• Leveraging official app marketplaces as distribution channels, it steals recovery phrases to access crypto wallets.

The SparkCat sophisticated cross-platform malware campaign aimed at stealing cryptocurrency wallet recovery phrases from Android and iOS users escalates vulnerabilities even in official app stores like Google Play and Apple's App Store.

First identified in late 2024 by ESET researchers, SparkCat employs advanced techniques to harvest sensitive user data. The financially driven campaign focuses on stealing recovery phrases, also known as mnemonics, used to regain access to cryptocurrency wallets. 

These recovery phrases provide complete access to victims' wallets, enabling attackers to siphon off funds, the latest Kaspersky security report says.

The campaign targets mobile users through both official app stores and unofficial sources. More than 242,000 Android users unknowingly downloaded apps infected with malicious frameworks from Google Play, while this marks the first instance of malware-based recovery phrase theft found in Apple's App Store. 

The infected apps spanned various categories, including food delivery services and AI-powered messaging platforms, and were embedded with an OCR-enabled (Optical Character Recognition) SDK (Software Development Kit) designed for data exfiltration.

One notable app, "ComeCome," a food delivery platform available in Indonesia and the UAE, raised alarms during the investigation. The malware embedded within ComeCome used Google’s ML Kit library to scan image galleries for recovery phrases in multiple languages, including English, Chinese, French, and Korean. 

The compromised apps leveraged stealth techniques like requesting permissions only under specific conditions to evade detection.

A defining characteristic of SparkCat is its use of the Rust programming language, which is uncommon in mobile malware. The malware employs a Rust-based protocol to communicate with the command-and-control (C2) servers. 

Researchers identified client-side Rust code handling communication with the server, along with server-side encryption, underscoring the sophistication of the attackers' infrastructure. 

This campaign also features advanced obfuscation and deception tactics. For example, its C2 domains were disguised to mimic legitimate services, and the malicious frameworks were concealed as system packages within the infected apps.

The telemetry data gathered by ESET indicates that SparkCat has primarily targeted victims in Europe and Asia, though users from other regions are likely at risk. Comments within the Android codebase and the decrypted iOS framework revealed the extensive use of the Chinese language, suggesting the malware's creator may be fluent in Chinese. 

However, there is insufficient evidence to attribute the operation to a specific cybercriminal group.

In December, a new crypto-stealing malware campaign was spotted. The Meeten macOS and Windows app downloaded an info-stealer component primarily targeting Web3 professionals and their crypto wallets.