Cybersecurity researchers have uncovered a sophisticated new variant of the SparkCat Trojan infiltrating both the Apple App Store and Google Play Store, marking a resurgence of the crypto-stealing malware approximately one year after its initial discovery. According to reports from Kaspersky, the malware has been embedded within seemingly harmless applications, including food delivery services and enterprise communication messengers, to target cryptocurrency users.
Sophisticated Image Scanning and OCR Capabilities
The SparkCat operation utilizes a specialized malicious SDK designed to exfiltrate cryptocurrency wallet recovery phrases. Unlike traditional stealers that target text files or databases, this Trojan leverages an optical character recognition (OCR) model to scan a victim’s photo gallery for screenshots or images containing mnemonic phrases. This approach highlights a growing security vulnerability for users who store sensitive recovery keys as images on their mobile devices.
The scale of the threat is significant, with reports indicating that infected apps have been downloaded over 242,000 times across both major mobile platforms. Whereas the malicious code has since been removed from official stores following reports to Apple and Google, telemetry suggests the apps continue to be distributed via third-party websites, some of which mimic the official App Store interface to deceive iPhone users.
Regional Targeting and Technical Evolution
The threat actors have deployed different strategies based on the operating system. The Android variant specifically targets users in Asia, scanning image galleries for keywords in Chinese, Korean, and Japanese. To evade detection, the Android version employs advanced obfuscation techniques, including code virtualization and the use of cross-platform programming languages—methods that are notably rare in mobile malware.
In contrast, the iOS variant is designed for a broader global reach. It scans for cryptocurrency wallet mnemonic phrases in English, allowing it to potentially impact users regardless of their geographic region. This strategic divergence suggests a calculated effort by the operators to maximize their reach across different markets.
Origins and Industry Impact
First documented by Kaspersky in February 2025, SparkCat is believed to be the work of a Chinese-speaking operator. The evolution of the malware—from its first iteration to this latest variant—demonstrates the technical agility of the threat actors and their ability to bypass the rigorous security screenings of major app marketplaces.
The continued evolution of such Trojans signals a critical need for enhanced mobile security frameworks, as attackers increasingly move toward AI-driven tools like OCR to steal assets. For more details on the broader wave of threats, readers can refer to reports such as SparkCat und Venom Stealer: Neue Malware-Welle bedroht Krypto-Wallets.
