Kaspersky Unveils Malware That Targets Crypto Users via Malicious SDKs
Kaspersky Labs has identified a new malware targeting crypto users through malicious software development kits embedded in mobile apps.
Kaspersky Unveils Malware That Targets Crypto Users via Malicious SDKs
Cybersecurity firm Kaspersky Labs has disclosed a sophisticated malware scheme targeting cryptocurrency users through malicious software development kits (SDKs) embedded within mobile applications available on Google Play and the Apple App Store.
These malicious applications utilize an optical character recognition (OCR) tool to scan users’ photos for wallet recovery phrases, providing hackers the means to access and deplete funds from affected wallets.
In a February 2025 report, Kaspersky analysts Sergey Puzan and Dmitry Kalinin revealed the malware, called SparkCat, infiltrates devices and seeks images containing recovery phrases by employing keyword detection across various languages. But that’s not all; it also can collect other sensitive data, including passwords and private messages captured in screenshots.
How the Malware Operates
Once the recovery phrases are extracted, the attackers gain full access to the victims’ crypto wallets. The researchers note, “The intruders steal recovery phrases for crypto wallets, which are enough to gain full control over the victim’s wallet for further theft of funds.”
On Android devices, SparkCat disguises itself as a Java-based analytics module and updates its operations via an encrypted configuration file stored on GitLab.
Kaspersky estimates that this malware has been downloaded roughly 242,000 times since its introduction in March 2023, primarily affecting users in Europe and Asia.
Experts’ Recommendations
Kaspersky emphasizes the importance of not storing sensitive information like recovery phrases in photo galleries and recommends using password managers and regularly scanning for suspicious applications to ensure security.
