A newly discovered malware campaign called "SparkCat" has infiltrated both Android and iOS devices, with attackers using advanced techniques to steal cryptocurrency wallet recovery phrases. 

Security analysts from Kaspersky, Sergey Puzan and Dmitry Kalinin, revealed that malicious software had been embedded in apps available on Google Play and even the Apple App Store, marking the first known instance of such an attack on Apple's platform.

The malware, found in over 242,000 downloads of infected apps, works by searching for images containing recovery phrases stored in a user’s photo gallery. 

Using an Optical Character Recognition (OCR) model powered by Google’s ML Kit, the malware scans for specific keywords that indicate a crypto wallet recovery phrase. Once detected, the malware secretly uploads these images to a remote command server controlled by hackers.

One of the infected apps identified was "ComeCome," a food delivery app available in the UAE and Indonesia. Researchers discovered that a hidden malicious software development kit (SDK) called "Spark" was embedded in its code. 

Upon launching the app, the malware downloaded an encrypted configuration file from a remote server, allowing attackers to execute its functions. The Android version of SparkCat specifically decrypted an OCR plugin and scanned image files for key phrases linked to cryptocurrency wallets before sending the data to the hackers.

What makes this malware particularly alarming is its ability to bypass security measures of official app stores. Traditionally, malware campaigns targeting crypto users have focused on phishing websites or third-party app stores. However, SparkCat's presence in Apple’s App Store suggests that attackers have found ways to slip past Apple’s strict app review process.

The malware’s communication infrastructure is another notable aspect of the attack. The malicious SDK used an unidentified protocol built in the Rust programming language, an unusual choice for mobile applications. It encrypted stolen data using multiple layers of cryptographic security, making it difficult for researchers to trace. Attackers also used cloud storage services like Amazon AWS to transfer stolen images, further disguising their activities.

While the malware was primarily designed to steal crypto wallet recovery phrases, its capabilities extend beyond that. The malware could also be used to steal passwords, private messages, and other sensitive information stored in screenshots or personal images. The campaign primarily targeted users in Europe and Asia, based on the languages found in the keyword lists and dictionary files used to filter images.

Kaspersky's researchers suspect that the malware was developed by individuals fluent in Chinese, based on code comments and server responses in Chinese. However, there is currently no conclusive evidence linking SparkCat to a known hacking group.

Following the discovery, Kaspersky reported the infected apps to Google and Apple. Some of the malicious apps have since been removed from Google Play, though several were still available at the time of analysis. Apple has not yet commented on whether the infected apps remain in its store.

Security experts urge users to immediately delete any affected apps and avoid storing sensitive information, such as cryptocurrency recovery phrases, in their photo gallery. They also recommend using reliable security software to detect and prevent malware infections.