SparkCat Evolution: New Malware Variant Hits App Store and Google Play to Steal Crypto Recovery Phrases

TL;DR

A new, more sophisticated version of the SparkCat trojan has been detected on the Apple App Store and Google Play Store. Disguised as benign apps like messengers and food delivery services, the malware uses Optical Character Recognition (OCR) to scan users' photo galleries for cryptocurrency wallet recovery phrases and exfiltrate them to attacker-controlled servers.

The Return of SparkCat

Cybersecurity researchers at Kaspersky have identified a new iteration of the SparkCat malware, marking a significant evolution since the trojan was first documented in February 2025. Despite being a known threat, the malware has successfully bypassed the initial security screenings of both Apple and Google to reach users through their respective official app stores.

The malware operates under a "Trojan" model, concealing its malicious intent within seemingly harmless applications. Researchers have found SparkCat embedded in:

Enterprise messaging tools
Food delivery services

Advanced Technical Capabilities

The latest version of SparkCat demonstrates a high level of technical maturation, particularly on the Android platform. To evade detection by security researchers and automated scanners, the developers have implemented several advanced features:

Code Virtualization: Scrambling code to make reverse engineering significantly more difficult.
Cross-Platform Languages: Utilization of cross-platform programming to streamline deployment across different operating systems while sidestepping traditional analysis.
Obfuscation Layers: Multiple layers of protection designed to hide the malware's true purpose from mobile security protocols.

Targeting Strategy: OCR and Photo Scanning

The primary objective of SparkCat is the theft of cryptocurrency credentials. It achieves this by requesting access to the smartphone’s photo gallery—a common permission for messenger or delivery apps.

Once granted, the malware uses an Optical Character Recognition (OCR) module to "read" the text within the user's stored images. It specifically searches for keywords associated with cryptocurrency wallet mnemonic phrases (recovery seeds).

Regional Differences in Targeting

While the campaign appears to be the work of a Chinese-speaking operator, its reach varies by platform:

Android Variant: Specifically scans for keywords in Japanese, Korean, and Chinese, suggesting a localized focus on the Asian market.
iOS Variant: Scans for mnemonic phrases in English. Because English is the standard language for global crypto recovery phrases, Kaspersky warns that the iOS version has a "potentially broader reach," capable of affecting users regardless of their geographic region.

Discovery and Origin

Kaspersky confirmed the discovery of two infected apps on the Apple App Store and one on the Google Play Store. Sergey Puzan, a researcher at Kaspersky, noted that the similarities between these new samples and those found in early 2025 suggest the same group of developers is behind the resurgence.

"The updated variant of SparkCat requests access to view photos in a user's smartphone gallery in certain scenarios... It analyzes the text in stored images using an optical character recognition module," Puzan told The Hacker News. If keywords match, the sensitive image is immediately sent to the attackers.

How to Stay Protected

The re-emergence of SparkCat on official app stores highlights that even "verified" apps can pose a risk. Security experts recommend:

Audit Photo Permissions: Be wary of apps that request access to your photo gallery if it is not essential for their primary function.
Avoid Storing Seeds in Photos: Never store screenshots or photos of your cryptocurrency recovery phrases in your phone's gallery or cloud storage.
Mobile Security Solutions: Use reputable mobile security software to detect and block known malware families like SparkCat.

Source: https://thehackernews.com/2026/04/new-sparkcat-variant-in-ios-android.html