{"id":483,"date":"2026-04-03T10:11:08","date_gmt":"2026-04-03T10:11:08","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=483"},"modified":"2026-04-03T10:11:08","modified_gmt":"2026-04-03T10:11:08","slug":"new-sparkcat-variant-in-ios-android-apps-steals-crypto-wallet-recovery-phrase-images","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=483","title":{"rendered":"New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Apr 03, 2026<\/span><\/span>Mobile Security \/ Threat Intelligence<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Cybersecurity researchers\u00a0have discovered<\/a> a new version of\u00a0the SparkCat<\/strong> malware on the Apple App Store and Google Play Store, more than a year after the\u00a0trojan was discovered targeting both the mobile operating\u00a0systems.<\/p>\n

The\u00a0malware\u00a0has\u00a0been found to conceal itself within seemingly benign apps, such as enterprise messengers and food delivery services, while silently scanning victims’ photo galleries for cryptocurrency wallet recovery\u00a0phrases.<\/p>\n

Russian cybersecurity company\u00a0Kaspersky said it\u00a0found two infected apps on the App Store and one\u00a0on the Google Play\u00a0Store that primarily target cryptocurrency users in\u00a0Asia.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abThe iOS variant, however, takes a different approach as it scans for cryptocurrency wallet mnemonic phrases, which are in English,\u00bb the company said. \u00abThis makes the iOS variant potentially broader in reach, as it can affect users regardless of their\u00a0region.\u00bb<\/p>\n

The\u00a0improved version of SparkCat for Android incorporates several obfuscation layers compared to previous iterations. This\u00a0includes the use of code virtualization and cross-platform programming languages to sidestep analysis\u00a0efforts. What’s\u00a0more, the Android version scans for Japanese, Korean, and Chinese keywords, indicating an Asian\u00a0focus.<\/p>\n

SparkCat was first documented by Kaspersky in February 2025, highlighting its ability to leverage an optical character recognition (OCR) model to exfiltrate select images containing wallet recovery phrases from photo libraries to an attacker-controlled\u00a0server.<\/p>\n

The\u00a0latest improvements to the\u00a0malware show that it’s an actively evolving\u00a0threat, not to\u00a0mention the technical capabilities of the threat actors behind the operation. Kaspersky had previously assessed the malicious activity to be the work of a Chinese-speaking\u00a0operator.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abThe updated variant of SparkCat requests access to view photos in a user’s smartphone gallery in certain scenarios \u2014 just like the very first version of the Trojan,\u00bb Kaspersky researcher Sergey Puzan told The Hacker News. \u00abIt analyzes the text in stored images using an optical character recognition\u00a0module.\u00bb<\/p>\n

\u00abIf the stealer finds relevant keywords, it sends the image to the attackers. Considering the similarities of the current sample and the previous one, we believe that the developers of the new version of malware are the same. This\u00a0campaign again underscores the importance of using security solutions for smartphones to stay protected against a broad range of cyberthreats.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Apr 03, 2026Mobile Security \/ Threat Intelligence Cybersecurity researchers\u00a0have discovered a new version of\u00a0the SparkCat malware on the Apple App Store and Google Play Store, more than a year…<\/p>\n","protected":false},"author":1,"featured_media":484,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[281,616,143,1052,428,1051,1050,1048,295,664,1049],"class_list":["post-483","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-android","tag-apps","tag-crypto","tag-images","tag-ios","tag-phrase","tag-recovery","tag-sparkcat","tag-steals","tag-variant","tag-wallet"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=483"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/483\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/484"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=483"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}