SparkCat malware has returned with a dangerous new variant that proves mobile threats continue to evolve faster than app store defenses can catch them. A year after the original campaign was exposed, researchers have discovered an updated version of the cross-platform spyware that targets both iOS and Android devices, primarily stealing cryptocurrency wallet recovery phrases from unsuspecting users.
Key Takeaways
- SparkCat malware has resurfaced with a new variant called SparkKitty, bypassing App Store and Google Play security over a year after the original campaign
- The malware uses OCR technology to scan smartphone photo galleries for cryptocurrency seed phrases and backup codes
- Infected Android apps were downloaded more than 242,000 times from Google Play before removal
- The threat primarily targets cryptocurrency users in Asia, with language-specific OCR models for Japanese, Korean, and Chinese
- Both iOS and Android variants request photo gallery access under innocent pretexts like image customization or customer support
How SparkCat Malware Actually Works
The updated SparkCat variant operates through a deceptively simple mechanism that exploits user trust. When victims open a specific screen within the compromised app—such as a support chat or image customization feature—the malware requests permission to access the phone’s photo gallery. Users grant this access believing the app needs photos for legitimate purposes like sending images to customer support or customizing their profile.
Once inside the gallery, SparkCat deploys optical character recognition technology to scan every stored image and screenshot. The malware downloads language-specific OCR models targeting Latin, Korean, Chinese, and Japanese text, then searches for cryptocurrency-related keywords like “Mnemonic” or patterns matching seed phrases and backup codes. When it identifies relevant images, the malware silently exfiltrates them to attacker-controlled servers. According to Kaspersky researcher Sergey Puzan, “The updated variant of SparkCat requests access to view photos in a user’s smartphone gallery in certain scenarios—just like the very first version of the Trojan. It analyzes the text in stored images using an optical character recognition module. If the stealer finds relevant keywords, it sends the image to the attackers”.
Where SparkCat Hides and How It Spreads
What makes SparkCat particularly dangerous is its ability to masquerade as legitimate applications. The malware has been distributed through official app stores as well as third-party sources mimicking legitimate marketplaces. On Google Play, infected apps posed as enterprise messengers, food delivery services, and AI-powered assistants with names like WeTink, AnyGPT, and ComeCome. These apps appeared innocent enough to bypass initial security reviews, though they have since been removed after security researchers reported them.
The technical implementation differs between platforms. On Android, SparkCat operates through a malicious SDK disguised as a data analysis tool, checking system flags and reading specific cache files to determine whether to activate its payload. The iOS variant uses frameworks that mimic legitimate libraries like AFNetworking and Alamofire, making it blend smoothly into the app’s legitimate code. Both approaches share architectural similarities with the original SparkCat campaign, strongly suggesting the same Chinese-speaking developers are behind the new variant.
Why Cryptocurrency Users Are the Primary Target
SparkCat’s focus on seed phrases reveals its true objective: stealing cryptocurrency wallets. A seed phrase—also called a mnemonic phrase—is the master key to a cryptocurrency wallet. Anyone with this phrase can access and drain all funds, making it far more valuable than passwords or login credentials. The malware’s language-specific OCR models suggest operators are primarily targeting cryptocurrency users in Asia, particularly in Japan, Korea, and China, though the iOS variant scans for English mnemonics to cast a wider net across Europe and potentially the Middle East and Africa.
The threat extends beyond cryptocurrency. While seed phrases are the primary target, SparkCat also intercepts SMS messages and notifications to capture two-factor authentication codes, which could be weaponized for broader account takeovers. This combination of capabilities makes SparkCat a sophisticated threat that goes beyond simple financial theft.
The Scale of the Infection
Google Play telemetry reveals the scope of SparkCat’s reach. Infected Android applications were downloaded more than 242,000 times before being removed from the official store. This figure underscores a critical vulnerability: malware can slip past app store security reviews and accumulate massive download numbers before detection. Even with removal, users who installed these apps during the active period remain at risk unless they uninstall them immediately.
The fact that SparkCat returned over a year after the original campaign—with a new variant incorporating advanced obfuscation techniques like code virtualization and cross-platform development languages—demonstrates that threat actors view this attack vector as viable long-term. App store security has not kept pace with the sophistication of modern mobile malware.
What Separates SparkCat From Other Mobile Threats
Most mobile malware focuses on stealing credentials, intercepting communications, or displaying advertisements. SparkCat’s use of OCR to extract information from images represents a rare and sophisticated approach. Rather than requiring the malware to intercept network traffic or hook into system APIs, it simply scans what users have already stored locally—screenshots of wallet backups, photos of recovery phrases written on paper, or images sent through messaging apps.
This technique is particularly effective because many cryptocurrency users take screenshots of their seed phrases for backup purposes, storing them in the phone’s gallery with the assumption that the gallery is private. SparkCat exploits this common security practice. The malware’s ability to work across both iOS and Android platforms using similar techniques further amplifies its threat—users cannot assume that switching to iOS provides protection.
How Users Can Protect Themselves
The SparkCat resurgence highlights several critical security practices. First, never store seed phrases, passwords, or backup codes as screenshots or images on your phone. Write them down on paper and store the paper in a secure location like a safe deposit box. Second, be extremely cautious when granting photo gallery access to apps—most applications have no legitimate reason to browse your entire photo history. Third, download apps only from official app stores and check user reviews for warnings before installation.
Additionally, use a reputable mobile security solution that can detect and block malware before it executes. While app store security has proven insufficient to stop SparkCat, layered defense strategies can catch threats that slip through official channels. Keep your operating system and all apps updated to patch security vulnerabilities that malware could exploit.
Will SparkCat Keep Returning?
The emergence of a new SparkCat variant over a year after the original campaign suggests this threat is not disappearing. Kaspersky researchers noted that “the developers of the new version of malware are the same” based on shared code frameworks and build paths. As long as cryptocurrency remains valuable and users continue storing sensitive information on their phones, threat actors will refine these attacks. The cat-and-mouse game between app store security and sophisticated malware developers will intensify, making user vigilance more important than ever.
Is SparkCat only targeting cryptocurrency users?
While SparkCat’s primary focus is stealing cryptocurrency seed phrases, the malware’s OCR capabilities could theoretically be repurposed to extract any valuable text from photos, including banking credentials, personal identification numbers, or sensitive documents. The current variant targets crypto users specifically, but the underlying technology is flexible enough to adapt to other high-value targets.
Can iOS users really get SparkCat malware?
Yes. Apple’s reputation for security has led many iOS users to believe their devices are immune to malware, but SparkCat proves otherwise. The iOS variant was delivered as embedded frameworks disguised as legitimate libraries, allowing it to pass initial security screening. iOS security is stronger than Android’s in many respects, but it is not impenetrable—determined attackers with resources can still find ways to distribute malware through official channels.
How do I know if my phone is infected with SparkCat?
SparkCat is designed to operate silently without obvious symptoms. However, if you installed any of the compromised apps listed by researchers before they were removed—particularly WeTink, AnyGPT, or ComeCome—you should uninstall them immediately and change any cryptocurrency wallet passwords or recovery methods. If you stored seed phrases as screenshots on your phone, assume they may have been compromised and move your funds to a new wallet with a freshly generated seed phrase.
The SparkCat malware resurgence demonstrates that mobile security remains a critical vulnerability for cryptocurrency users and anyone storing sensitive information on their phones. App store security, while improving, cannot be the sole defense against determined threat actors. Personal vigilance—avoiding suspicious apps, restricting permissions, and never storing critical secrets as digital images—remains the most reliable protection against evolving mobile threats.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
