SparkCat Crypto Stealer Returns to iOS and Android App Stores

The SparkCat malware has resurfaced on both the Apple App Store and Google Play Store with upgraded evasion capabilities, more than a year after researchers first documented the crypto-stealing trojan. Kaspersky researchers identified the new variants in early April 2026, hidden within seemingly legitimate applications.

How SparkCat Steals Your Crypto

SparkCat is an OCR-based trojan that scans victims' photo galleries for cryptocurrency wallet recovery phrases. Many users screenshot their wallet seed phrases for backup purposes—a practice security experts have long warned against. SparkCat exploits this habit by using optical character recognition to identify and exfiltrate these images to attacker-controlled servers.

The malware disguises itself within everyday apps like enterprise messengers and food delivery services. Kaspersky found two infected apps on the App Store and one on Google Play, though the specific app names weren't disclosed to prevent tipping off the operators.

Platform-Specific Targeting

The Android variant focuses on Asian cryptocurrency users, scanning for Japanese, Korean, and Chinese keywords in photo metadata and image content. This regional targeting aligns with the high cryptocurrency adoption rates across East Asia.

The iOS version takes a broader approach, scanning for English-language wallet mnemonics. This makes the iOS variant potentially more dangerous globally, as English seed phrases are used by cryptocurrency holders regardless of their region.

This isn't the first time mobile app stores have hosted crypto-stealing malware. We covered the NoVoice Android rootkit last week, which infected 2.3 million devices through Google Play before detection. Mobile app stores continue to struggle with vetting submissions that hide malicious functionality behind legitimate-looking interfaces.

Technical Evolution

The updated SparkCat variants incorporate code virtualization and cross-platform programming languages to frustrate reverse engineering efforts. These obfuscation layers represent a significant upgrade from the original 2025 versions, indicating active development by the malware operators.

Kaspersky attributes SparkCat to Chinese-speaking threat actors based on code artifacts and infrastructure patterns observed across multiple campaigns. The group appears focused exclusively on cryptocurrency theft, with no evidence of broader espionage or data collection objectives.

Why This Matters

Cryptocurrency theft through mobile malware has accelerated in 2026 as threat actors chase the growing pool of retail crypto holders. The CrystalX RAT we reported on earlier this week used similar wallet-targeting techniques, demonstrating that crypto theft has become a standard feature in modern infostealer kits.

SparkCat's presence on official app stores is particularly concerning. Users generally trust apps downloaded from Apple and Google's curated marketplaces, creating a false sense of security that malware authors exploit. Both companies employ automated scanning and manual review processes, but sophisticated malware continues to slip through.

The photo gallery attack vector is clever. Users who understand the risks of storing seed phrases in password managers or cloud storage may not realize that local photo galleries are equally vulnerable. Once SparkCat gains photo access permissions—a common request from legitimate apps—it can silently scan every image on the device.

Protecting Your Crypto Assets

Security researcher Sergey Puzan from Kaspersky recommends using mobile security solutions that can detect malicious behavior patterns. Beyond that:

1. Never screenshot recovery phrases - Write them on paper and store physically
2. Audit app permissions - Question why a food delivery app needs photo gallery access
3. Use hardware wallets - For significant holdings, cold storage eliminates this attack surface
4. Enable app verification - Both iOS and Android offer settings to flag potentially harmful apps

Organizations allowing personal devices for work should consider mobile threat defense solutions, particularly if employees have access to corporate cryptocurrency wallets or financial systems. The line between personal crypto theft and corporate compromise is thin when the same device accesses both.

For those already affected, Kaspersky notes the malware exfiltrates images containing seed phrases, not the phrases themselves. Attackers still need to manually process stolen images, creating a window for victims to transfer funds to new wallets if they catch the infection early.