New SparkCat Variant: Image Scraping Malware Hits Major App Stores
Has anyone else caught the report on the new SparkCat malware variant? It’s surfaced again on both Google Play and the Apple App Store, concealed within seemingly benign apps like enterprise messengers and food delivery services.
What’s particularly concerning is the specific targeting methodology. This variant isn't just grabbing contacts or SMS logs; it’s actively using OCR (Optical Character Recognition) to scan device storage for screenshots of crypto wallet recovery phrases.
The malware typically requests storage permissions on the pretext of saving user files, then recursively scans directories like DCIM and Pictures.
If you are analyzing these APKs or IPA files, watch for:
- Integration of OCR libraries (e.g., Tesseract) stripped of symbols.
- Frequent
ContentResolverqueries targeting image MIME types. - Network traffic exfiltrating base64 encoded strings to non-standard C2 domains.
Here is a basic Python snippet to check for unexpected OCR dependencies in an APK using androguard:
from androguard.misc import AnalyzeAPK
a, d, dx = AnalyzeAPK("suspicious.apk")
# Check for common OCR libraries in third party libs
ocr_indicators = ["tesseract", "opencv", "leptonica"]
found_libs = a.get_libraries()
for lib in found_libs:
if any(indicator in lib.lower() for indicator in ocr_indicators):
print(f"[!] Potential OCR library found: {lib}")
Given the BYOD nature of most environments, how are you handling this? Are you blocking specific utility categories in the app store, or just relying on Mobile Threat Defense (MTD) solutions to catch the runtime behavior?
This is exactly why we moved to strict Mobile Threat Defense (MTD) integration with our MDM. Standard AV signatures on mobile are too slow for this stuff because the payload often downloads after installation or gets decrypted at runtime. We've set up alerts for any app attempting to scan the DCIM directory rapidly—it's a classic tell for image scrapers. Still, user education is tough when the app is a 'food delivery' service.
The social engineering aspect here is wild. Hiding in a food delivery app is genius because people expect it to need camera/gallery access for 'receipts' or profile pics. From a pentest perspective, I always recommend checking for excessive permissions during the internal app review. If a chat app doesn't need to scan your entire gallery, don't grant it. We need to push for 'least privilege' on mobile just like we do on servers.
I've been analyzing the network traffic for similar strains recently. They often try to blend in with legitimate image hosting APIs to exfiltrate the stolen text. If you have SSL inspection enabled on your mobile proxy, look for small POST requests containing high-entropy strings that don't match typical image file headers.
The core issue is often users taking screenshots of seed phrases in the first place. We enforce "Block Screen Capture" policies for sensitive apps on corporate devices to prevent the file from ever existing.
For auditing Android endpoints, you can check for recent screenshots using this quick command:
adb shell find /sdcard/DCIM/Screenshots -mtime -7
Eliminating the source file is often more effective than trying to detect the scraper.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access