07.04.2026
3 min
172
SparkCat malware has reappeared in mobile apps, and this time it’s even more dangerous. It was discovered right on the App Store and Google Play, where it masquerades as regular apps and silently searches users’ photos for crypto wallet credentials.
Cybersecurity experts have identified a brand-new form of SparkCat Malware in both the Apple App Store and Google Play Stores over one year after the discovery of this malicious Trojan type targeted at both mobile platforms.
Firstly, all of the apps appear harmless and operate normally as described. Infected applications may function as instant messaging programs or meal ordering services. In fact, they actually do what they claim to do; therefore, no red flags will ever be raised regarding their functionality. However, these seemingly innocuous applications contain SparkCat.
When an app has been successfully downloaded onto your device, the application is granted complete permission to view your entire photo gallery. At this point, things start to get exciting. Instead of using conventional methods to collect information from your device (i.e., passwords), it utilizes Optical Character Recognition (OCR) technologies to “read” every single word contained in every image on your phone.
The application’s primary objective is rather precise. It seeks out and identifies the “seed phrases” of crypto-wallets – the same twelve or twenty-four-word combinations required to gain back access to digital assets. Once those seed-phrase(s) are located, the images containing them are transmitted to servers owned by the hackers.
The updated version has become more sophisticated. This is especially noticeable on Android:
multi-level obfuscation is used
code virtualization is used
cross-platform technologies are used to complicate analysis
Because of all of the above factors, the malicious software is now very much harder to notice and to identify.
It’s also interesting that each of the variants has its own “geography”. For example, the android variant will search for Asian language seed phrases, whereas the ios variant searches for english language seed phrases. As such, potential threats to iphone users may be possible regardless of their geographical location.
Researcher first noted Sparkcat in 2025. At that point, Sparkcat was already extracting information from images using a method (at least) somewhat uncommon in mobile based malware. It seems however, that research indicates that this is an active development. Researcher believe that Sparkcat’s developer(s), are the same individual(s) responsible for the most recent iteration of SparkCat and that the threat of SparkCat exists in addition to being continually evolving. We’re witnessing a classic case; First an experimental attempt occurs, next it becomes an established mechanism for pilfering monies.
Trust is the major issue in this instance. Users assume that both Apple App store and Google play are secure. However, even when utilizing what many consider to be the safest venues available (i.e. app stores), they are often missing apps that contain harmful content. SparkCat demonstrates simply, yet disturbingly; even a common application could view your photographs and seek out something useful within them. If you elect to save your seed phrases as screenshots, essentially anyone could be viewing your account.
