SparkCat Malware Resurfaces on App Stores with Enhanced Obfuscation and Expanded Targeting
A new iteration of the **SparkCat** malware has been discovered on both the **Apple App Store** and **Google Play Store**, over a year after its initial detection. This updated version features improved obfuscation techniques and targets cryptocurrency users with a particular focus on Asia.
Cybersecurity researchers have identified a new variant of the **SparkCat** malware targeting both **Android** and **iOS** users via the official app stores. The malware disguises itself within seemingly harmless applications like enterprise messengers and food delivery services.
### SparkCat: A Refresher
**SparkCat** malware silently scans victims' photo galleries for cryptocurrency wallet recovery phrases.
**Kaspersky** reports finding two infected applications on the **App Store** and one on the **Google Play Store**, primarily targeting cryptocurrency users in Asia. The **iOS** variant scans for English mnemonic phrases, potentially affecting a broader range of users regardless of their region.
### Enhanced Obfuscation Techniques
The updated **Android** version of **SparkCat** incorporates several layers of obfuscation to evade detection. These include code virtualization and cross-platform programming languages. The **Android** version specifically targets Japanese, Korean, and Chinese keywords, indicating a strong focus on Asian users.
### OCR and Data Exfiltration
First documented by **Kaspersky** in February 2025, **SparkCat** utilizes optical character recognition (OCR) to extract images containing wallet recovery phrases. This data is then exfiltrated to a server controlled by the attacker.
The latest improvements to **SparkCat** demonstrate the active evolution and technical sophistication of the threat actors behind this campaign. **Kaspersky** attributes the malicious activity to a Chinese-speaking operator.
### Expert Analysis
"The updated variant of SparkCat requests access to view photos in a user's smartphone gallery in certain scenarios β just like the very first version of the Trojan," said **Kaspersky** researcher Sergey Puzan. "It analyzes the text in stored images using an optical character recognition module."
"If the stealer finds relevant keywords, it sends the image to the attackers. Considering the similarities of the current sample and the previous one, we believe that the developers of the new version of malware are the same. This campaign again underscores the importance of using security solutions for smartphones to stay protected against a broad range of cyberthreats."