SparkCat Malware Resurfaces: New Variant Targets iOS and Android Users to Steal Crypto Wallet Recovery Phrases
Cybersecurity researchers have identified a new variant of the SparkCat malware infiltrating both the Apple App Store and Google Play Store, marking a significant escalation in mobile security threats. This sophisticated malware masquerades as legitimate applications, including enterprise messaging platforms and food delivery services, to covertly access users’ photo galleries and extract cryptocurrency wallet recovery phrases.
Initially documented by Kaspersky in February 2025, SparkCat employs optical character recognition (OCR) technology to scan images for sensitive information, such as wallet recovery phrases. The latest iteration demonstrates enhanced obfuscation techniques, utilizing code virtualization and cross-platform programming languages to evade detection and analysis. Notably, the Android version now scans for keywords in Japanese, Korean, and Chinese, indicating a targeted focus on Asian users.
The iOS variant of SparkCat has expanded its reach by scanning for cryptocurrency wallet mnemonic phrases in English, potentially affecting users globally. This development underscores the evolving capabilities of cybercriminals and the increasing sophistication of their methods.
Kaspersky’s findings reveal that the malware requests access to view photos in a user’s smartphone gallery, analyzing stored images using its OCR module. If relevant keywords are detected, the image is transmitted to the attackers. The similarities between the current and previous versions suggest that the same developers are behind this new variant.
This resurgence of SparkCat highlights the critical importance of robust mobile security measures. Users are advised to exercise caution when downloading applications, even from official app stores, and to implement comprehensive security solutions to protect against a broad range of cyber threats.
