CYBERSECURITY researchers have uncovered a new SparkCat variant on the Apple App Store and Google Play Store, more than a year after the Trojan was first identified. The malware hides inside seemingly legitimate apps such as enterprise messengers and food-delivery services while quietly scanning victims’ photo galleries for cryptocurrency wallet recovery phrases, with two infected iOS apps and one Android app discovered, all focused on Asian users according to Kaspersky.
The iOS variant scans for English wallet mnemonic phrases, potentially broadening its reach beyond any single region, while the Android version uses several obfuscation layers, including code virtualization and cross‑platform languages, and looks for Japanese, Korean and Chinese keywords. SparkCat’s ability to exfiltrate targeted images is built on an OCR model that analyses text in stored images before sending matches to attacker‑controlled servers, a technique first documented by Kaspersky in February 2025.
The latest release is described as actively evolving, with the Android variant’s updated capabilities highlighting an ongoing threat landscape.