New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images

New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Ravie LakshmananApr 03, 2026Mobile Security / Threat Intelligence Cybersecurity researchers have discovered a new version of the SparkCat malware on the Apple App Store and Google Play Store, more than a year after the trojan was discovered targeting both the mobile operating systems. The malware has been found to conceal itself within seemingly benign apps, such as enterprise messengers and food delivery services, while silently scanning victims' photo galleries for cryptocurrency wallet recovery phrases. Russian cybersecurity company Kaspersky said it found two infected apps on the App Store and one on the Google Play Store that primarily target cryptocurrency users in Asia. "The iOS variant, however, takes a different approach as it scans for cryptocurrency wallet mnemonic phrases, which are in English," the company said. "This makes the iOS variant potentially broader in reach, as it can affect users regardless of their region." The improved version of SparkCat for Android incorporates several obfuscation layers compared to previous iterations. This includes the use of code virtualization and cross-platform programming languages to sidestep analysis efforts. What's more, the Android version scans for Japanese, Korean, and Chinese keywords, indicating an Asian focus. SparkCat was first documented by Kaspersky in February 2025, highlighting its ability to leverage an optical character recognition (OCR) model to exfiltrate select images containing wallet recovery phrases from photo libraries to an attacker-controlled server. The latest improvements to the malware show that it's an actively evolving threat, not to mention the technical capabilities of the threat actors behind the operation. Kaspersky had previously assessed the malicious activity to be the work of a Chinese-speaking operator. "The updated variant of SparkCat requests access to view photos in a user's smartphone gallery in certain scenarios — just like the very first version of the Trojan," Kaspersky researcher Sergey Puzan told The Hacker News. "It analyzes the text in stored images using an optical character recognition module." "If the stealer finds relevant keywords, it sends the image to the attackers. Considering the similarities of the current sample and the previous one, we believe that the developers of the new version of malware are the same. This campaign again underscores the importance of using security solutions for smartphones to stay protected against a broad range of cyberthreats." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Android, cryptocurrency, cybersecurity, data theft, iOS, Kaspersky, Malware, mobile security, Threat Intelligence Trending News Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Load More ▼ Popular Resources SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats [Demo] Discover SaaS Risks and Monitor Every App in Your Environment Detect AI-Driven Threats Faster With Full Network Visibility [Guide] Learn How to Govern AI Agents With Proven Market Guidance