Cybersecurity experts have identified an updated version of the SparkCat trojan lurking in official mobile app stores over a year after its initial discovery. This evolving malware disguises itself within legitimate-looking applications to scan user photo galleries for cryptocurrency recovery phrases using advanced text recognition technology.
Security researchers recently found three malicious applications on the Apple App Store and Google Play Store linked to the SparkCat malware family. These apps frequently pose as harmless utility software, such as food delivery tools or business messaging platforms, to trick users into granting permissions. Once installed, the malware silently combs through the device's image library to find and steal sensitive data related to digital assets.
The latest iteration of this threat demonstrates a sophisticated level of technical growth, particularly in how it avoids detection on Android devices. Developers have implemented multiple layers of obfuscation, including code virtualization and cross-platform languages, to make analysis difficult for security software. While the Android version specifically targets users in Asia by scanning for keywords in Chinese, Japanese, and Korean, the iOS version has a much broader reach.
On Apple devices, the malware focuses on identifying English mnemonic phrases used for cryptocurrency wallet recovery. Because these recovery keys are almost universally issued in English, the iOS variant poses a significant risk to users globally, regardless of their native language or geographic location. This shift in strategy suggests the attackers are looking to maximize their potential victim pool by moving beyond regional constraints.
This specific malware campaign is believed to be the work of Chinese-speaking threat actors who first surfaced in early 2025. The core functionality remains centered on an optical character recognition module that analyzes screenshots and saved photos. If the system detects keywords associated with private keys or seed phrases, it immediately exfiltrates the original image to a remote server controlled by the hackers.
The persistence of SparkCat in official app marketplaces highlights the ongoing challenges of mobile security and the cleverness of modern cybercriminals. Security experts emphasize that because these apps often pass initial store screenings, users must remain vigilant about the permissions they grant to new software. Protecting digital wealth now requires a combination of cautious app selection and the use of dedicated mobile security tools to intercept these silent background scans.
Source:
