Cybersecurity researchers have discovered a new version of SparkCat malware on the Apple App Store and Google Play Store. It has been over a year since this Trojan was discovered targeting both mobile operating systems.
The malware has been found hiding inside seemingly innocuous apps like enterprise messengers and food delivery services, silently scanning victims’ photo galleries for recovery phrases for their crypto wallets.
Russian cybersecurity company Kaspersky has announced that it has found two infected apps in the App Store and one in the Google Play Store that primarily target crypto users in Asia.
“However, the iOS variant takes a different approach when scanning for cryptocurrency wallet mnemonic phrases written in English,” the company said. “This could further widen the reach of iOS variants as they can impact users regardless of region.”
The improved version of SparkCat for Android includes several layers of obfuscation compared to previous versions. This includes code virtualization and the use of cross-platform programming languages to avoid analysis efforts. Additionally, the Android version scans for Japanese, Korean, and Chinese keywords, indicating an Asian focus.
SparkCat was first documented by Kaspersky in February 2025, highlighting its ability to leverage optical character recognition (OCR) models to exfiltrate selected images containing wallet recovery phrases from a photo library to an attacker-controlled server.
The latest improvements to this malware indicate that it is an actively evolving threat, not to mention the technical capabilities of the attackers behind this malware. Kaspersky previously attributed the malicious activity to Chinese-speaking operators.
“The updated variant of SparkCat, similar to the first version of the Trojan, requests access to view photos in the user’s smartphone gallery in certain scenarios,” Kaspersky researcher Sergei Puzan told The Hacker News. “Using an optical character recognition module to analyze text in stored images.”
“Once the thieves find a relevant keyword, they send the image to the attackers. Given the similarities between the current and previous samples, we believe the new version of the malware is from the same developer. This campaign once again emphasizes the importance of using security solutions for smartphones to stay protected from a wide range of cyber threats.”
Source link
