A new cyber security threat is targeting users of both Android and iOS equipment. according to a Kaspersky The report, a malicious software development kit (SDK) has been spotted embedded in many apps available on Google Play and Apple App Store. It is designed to steal cryptocurrency wallet recovery phrases using SDK, dubbed sparkcat, optical character recognition (OCR) technique. The campaign has already affected hundreds of thousands of users, with more than 242,000 downloads alone on Google Play Store.

Malibly SDK is operated differently on Android and iOS devices. On Android, it uses a Java component called spark, which acts as an analytics module. This component reinforces encrypted configuration files from Gitlab, which consists of command and updates for malware. On iOS, the framework goes with various names, such as GZIP, Googleappsdk, or Stat, and C2 uses a rust-based networking module called IM_NET_SYS to communicate with the server.

The primary function of this malware is to scan images on the user’s device for cryptocurrency wallet recovery phrases. These phrases, which are often stored as screenshots or photos, are used to restore access to cryptocurrency wallets. The malware uses Google Ml Kit OCR to extract text from images, targets specific keywords in many languages ​​including Latin, Korean, Chinese and Japanese. Once it identifies a recovery phrase, the stolen data is sent to the attackers’ server, allowing them to reach the victim’s cryptocurrency fund without the need for a password.

The investigation by Kaspersky has shown that the malware is area-specific, which has to target strategies for various keywords and regions such as Europe and Asia. However, researchers warned that apps may still work outside their intended areas, which risk wide audiences.

So far, 18 Android apps and 10 iOS apps have been identified as infected. You can find a list of affected apps Kasperki Report here. A notable example is the Android app – Chatii – which was downloaded more than 50,000 times before being removed from the Google Play Store. However, many other infected apps are available on both platforms, which is still a matter of concern.

If you doubt that you have installed a malware-enamored app, you have to uninstall them immediately. According to experts, it is also recommended to install a reputed mobile antivirus tool to scan your device for any dull mark of malware. In severe cases, a factory reset may be necessary to ensure complete removal. Self-hosted, offline password manager with vault features can also provide an additional layer of security.