New Variant of SparkCat Malware Found in iOS and Android Apps Targets Crypto Wallet Recovery Phrase Images
April 3, 2026 – Cybersecurity researchers have uncovered an advanced version of the notorious SparkCat malware lurking within legitimate apps on both Apple’s App Store and Google Play Store. This discovery underscores the evolving threat landscape as malicious actors intensify efforts to stealthily steal sensitive cryptocurrency data from mobile users.
SparkCat Returns With Enhanced Capabilities
More than a year after SparkCat was first identified targeting mobile operating systems, security experts at Russian cybersecurity firm Kaspersky have revealed a new variant infecting apps available to users in Asia and beyond. The malware cunningly disguises itself inside seemingly harmless applications such as enterprise messengers and food delivery services.
Once installed, SparkCat silently scans the user’s photo gallery to locate images containing cryptocurrency wallet recovery phrases. These phrases, also known as mnemonic phrases, allow attackers to hijack victims’ crypto wallets and steal their digital assets.
Multi-Platform Threat With Regional Focus
Kaspersky’s investigation found two compromised iOS apps and one Android app bearing the malicious payload. The iOS version is particularly concerning as it identifies recovery phrases written in English, broadening the malware’s potential victim pool on a global scale, regardless of geographic region.
Conversely, the Android variant is engineered to detect wallet recovery keywords written in East Asian languages, including Japanese, Korean, and Chinese, indicating a targeted focus on Asian markets. This version also employs advanced obfuscation techniques such as code virtualization and cross-platform programming languages, enabling it to better evade detection and thwart analysis by cybersecurity researchers.
How SparkCat Operates
The malware leverages an optical character recognition (OCR) model to analyze the text embedded within stored images. If the software detects relevant keywords indicative of crypto wallet recovery data, it exfiltrates these images to remote attacker-controlled servers.
Kaspersky first documented SparkCat in February 2025, noting its unique ability to capture and transmit sensitive mnemonic phrase images. The newly released variant continues this function while enhancing its stealth features and expanding language support.
Attribution and Warnings
Sergey Puzan, a researcher at Kaspersky, emphasized the ongoing threat posed by SparkCat:
“The updated variant requests access to photos in users’ galleries under various scenarios, then analyzes text through OCR to find wallet recovery phrases. When found, it sends these images to attackers. Given the similarities to previous versions, we believe the same threat actors are behind this campaign, which highlights the critical importance of employing robust mobile security solutions.”
Kaspersky’s earlier assessments suggested that the operation is likely conducted by Chinese-speaking threat actors, given linguistic and technical attributes associated with the malware.
Protecting Yourself Against SparkCat and Similar Threats
This resurgence of SparkCat serves as a stark reminder of the risks facing cryptocurrency users, especially those relying on mobile devices for managing digital assets. Cybersecurity experts recommend the following precautions:
- Download apps only from trusted developers and official sources.
- Avoid granting unnecessary permissions, particularly access to photos and files.
- Use reputable mobile security software with malware detection capabilities.
- Regularly back up wallet recovery phrases in secure, offline locations.
- Stay informed about emerging threats and security best practices.
Stay Updated
For continued coverage of mobile malware threats and cybersecurity news, follow our updates on Google News, Twitter, and LinkedIn.
Reported by Ravie Lakshmanan | The Hacker News
© 2026 The Hacker News. All rights reserved.