Cybersecurity researchers have discovered a new version of the SparkCat malware on the Apple App Store and Google Play Store, more than a year after the trojan was discovered targeting both the mobile operating systems.
The malware has been found to conceal itself within seemingly benign apps, such as enterprise messengers and food delivery services, while silently scanning victims’ photo galleries for cryptocurrency wallet recovery phrases.
Russian cybersecurity company Kaspersky said it found two infected apps on the App Store and one on the Google Play Store that primarily target cryptocurrency users in Asia.
“The iOS variant, however, takes a different approach as it scans for cryptocurrency wallet mnemonic phrases, which are in English,” the company said. “This makes the iOS variant potentially broader in reach, as it can affect users regardless of their region.”
The improved version of SparkCat for Android incorporates several obfuscation layers compared to previous iterations. This includes the use of code virtualization and cross-platform programming languages to sidestep analysis efforts. What’s more, the Android version scans for Japanese, Korean, and Chinese keywords, indicating an Asian focus.
SparkCat was first documented by Kaspersky in February 2025, highlighting its ability to leverage an optical character recognition (OCR) model to exfiltrate select images containing wallet recovery phrases from photo libraries to an attacker-controlled server.
The latest improvements to the malware show that it’s an actively evolving threat, not to mention the technical capabilities of the threat actors behind the operation. Kaspersky had previously assessed the malicious activity to be the work of a Chinese-speaking operator.
“The updated variant of SparkCat requests access to view photos in a user’s smartphone gallery in certain scenarios — just like the very first version of the Trojan,” Kaspersky researcher Sergey Puzan told The Hacker News. “It analyzes the text in stored images using an optical character recognition module.”
“If the stealer finds relevant keywords, it sends the image to the attackers. Considering the similarities of the current sample and the previous one, we believe that the developers of the new version of malware are the same. This campaign again underscores the importance of using security solutions for smartphones to stay protected against a broad range of cyberthreats.”
