New SparkCat Variant in iOS and Android Apps Steals Cryptocurrency Wallet Recovery Phrase Images
April 3, 2026 — By Ravie Lakshmanan
Cybersecurity researchers have uncovered a new variant of the SparkCat malware actively targeting users of both iOS and Android devices through the Apple App Store and Google Play Store. This discovery comes more than a year after the original trojan was first identified. The malware notably targets cryptocurrency users by stealthily extracting sensitive recovery phrase images from victims’ photo galleries.
Malware Disguised as Legitimate Apps
The SparkCat malware has been found to be concealed within seemingly legitimate and benign applications, such as enterprise messaging tools and food delivery services. Once installed, the malware silently scans the victim’s photo library to identify images containing cryptocurrency wallet recovery phrases—a critical security component for accessing digital wallets.
Russian cybersecurity firm Kaspersky reported locating two infected apps on Apple’s App Store and another on Google’s Play Store. The primary targets appear to be cryptocurrency users in Asia. Kaspersky noted that while the Android version targets users by scanning for region-specific keywords in Japanese, Korean, and Chinese, the iOS variant uniquely scans for wallet mnemonic phrases in English. This approach potentially broadens its victim base beyond a single geographic region.
Enhanced Capabilities and Evasion Techniques
The updated SparkCat variant for Android incorporates several new obfuscation techniques aimed at evading detection and analysis. These improvements include the use of code virtualization and cross-platform programming languages, making it substantially harder for security researchers to dissect the malware’s functions.
The iOS variant, meanwhile, maintains its strategy of requesting access to view photos in the user’s smartphone gallery. Using an optical character recognition (OCR) module, it analyzes text within images to identify wallet recovery phrases. When such sensitive information is detected, the malware transmits the relevant images to servers controlled by the attackers.
A Continuously Evolving Threat
SparkCat was initially documented by Kaspersky in February 2025, where it was seen leveraging OCR technology to selectively exfiltrate images containing wallet recovery phrases from users’ photo libraries. According to Sergey Puzan, a Kaspersky researcher, the recent variant retains this technique but is more sophisticated, indicating active development and refinement by its creators.
Puzan told The Hacker News, "Considering the similarities of the current sample and the previous one, we believe that the developers of the new version of malware are the same. This campaign reiterates the importance of using comprehensive security solutions for smartphones to stay protected against a broad range of cyberthreats."
Kaspersky has previously attributed the malicious activity underlying SparkCat to a Chinese-speaking operator, underscoring the technical capabilities and resources behind this ongoing threat.
Implications for Cryptocurrency Users
Cryptocurrency wallet recovery phrases — also known as mnemonic phrases — are integral to accessing and recovering digital wallets. Any compromise of such data can lead to irreversible loss of assets. The discovery of SparkCat’s renewed activity highlights the urgent need for users, especially in cryptocurrency communities, to exercise heightened caution when downloading apps and manage app permissions meticulously.
Experts recommend employing reputable mobile security applications and regularly monitoring devices for suspicious behavior. Avoiding the use of unofficial app stores and scrutinizing app reviews can also help mitigate risks posed by such malware.
Keeping Informed and Protected
The emergence of this new SparkCat variant serves as a stark reminder of the evolving landscape of mobile cybersecurity threats, especially aimed at financially motivated targets like cryptocurrency users.
For continuous updates and expert insights on cybersecurity threats, readers are encouraged to follow The Hacker News on Google News, Twitter, and LinkedIn.
Tags: Android, iOS, SparkCat malware, cryptocurrency theft, Kaspersky, mobile security, optical character recognition, cyber threat intelligence
For further inquiries or to submit cybersecurity tips, contact The Hacker News editorial team.