Executive Summary

Security researchers at Kaspersky have identified a new, updated variant of the SparkCat mobile malware on both the official Apple App Store and Google Play Store. The malware was found embedded in applications masquerading as legitimate tools, such as enterprise chat and food delivery services, and appears to be primarily targeting users in Asia.

SparkCat employs a unique and insidious method for theft: it uses Optical Character Recognition (OCR) technology to scan the victim's entire photo library. Its goal is to find images, such as screenshots, that contain the 12 or 24-word recovery phrases for cryptocurrency wallets. Upon finding a match, the malware exfiltrates the image to a command-and-control (C2) server, granting the attackers full access to steal the victim's digital assets. The reappearance of this sophisticated malware on official app stores demonstrates the ongoing challenge of policing these ecosystems against determined, financially motivated threat actors.

Threat Overview

SparkCat, first identified in 2025, represents a specialized threat to cryptocurrency users. Unlike traditional mobile banking trojans that use overlays to steal credentials, SparkCat targets the common but insecure practice of users taking screenshots of their wallet recovery phrases for backup. The threat actor, believed to be a Chinese-speaking group, has successfully bypassed the automated and manual review processes of both Apple and Google to get their malicious apps onto the stores.

The attack begins when a user downloads one of the trojanized applications and grants it permission to access their photo gallery—a seemingly innocuous request for many app types. Once access is granted, the malware begins its main routine in the background. It iterates through every image file in the user's library and applies an OCR model to extract any text. This text is then compared against patterns that match common cryptocurrency wallet recovery phrase formats. If a likely phrase is identified, the entire image file is uploaded to the attacker's C2 server.

Technical Analysis

The malware's operation is simple but effective:

1. Initial Access: The user is tricked into installing a malicious application from an official app store. This is a form of T1475 - IO Hijacking (in the mobile context, tricking the user into granting permissions).
2. Defense Evasion / Collection: The malware requests permissions to access the user's photo library. This is a standard mobile application behavior, making it less likely to arouse suspicion. This aligns with T1452 - Data from Local System.
3. Collection: The core of the attack involves using an embedded OCR engine to scan image files for specific text patterns (mnemonics/recovery phrases). This is a novel application of T1452 - Data from Local System.
4. Exfiltration: Upon finding a match, the malware exfiltrates the image file containing the recovery phrase to a remote C2 server. This corresponds to T1041 - Exfiltration Over C2 Channel.
5. Impact: With the recovery phrase, the attacker has complete control over the victim's cryptocurrency wallet and can transfer all funds out of it.

The use of OCR to find secrets in images is a clever technique that bypasses security controls focused on file-based data or direct input theft. It exploits user behavior rather than a technical vulnerability in the OS.

Impact Assessment

The impact on victims is direct and often irreversible financial loss. Once a cryptocurrency transaction is made, it cannot be reversed. Victims can lose their entire crypto portfolio in a matter of minutes after their recovery phrase is compromised. The targeting of users in Asia suggests a regional focus, but the malware could easily be adapted for global campaigns. The presence of SparkCat on official app stores erodes user trust and demonstrates that even these curated environments are not immune to sophisticated threats, posing a risk to millions of mobile users who store sensitive information as images on their devices.

Cyber Observables for Detection

Detection on a non-jailbroken mobile device is very difficult for an end-user. Detection relies on network-level and vendor-side analysis.

Detection & Response

• For Users:

  • Be cautious about which apps you grant photo library access to. If an app's functionality does not require photo access, deny the permission.
  • Regularly review the permissions of your installed applications.
  • If you suspect an infection, immediately revoke photo access for the suspicious app, check your crypto wallets for unauthorized transactions, and delete the app.

• For Enterprise (MDM):

  • Use Mobile Device Management (MDM) and Mobile Threat Defense (MTD) solutions to monitor for and block known malicious applications.
  • Monitor network logs from mobile devices for anomalous data exfiltration patterns.

Mitigation

Mitigation relies heavily on user awareness and secure practices for managing cryptocurrency.

1. Never Store Recovery Phrases Digitally: The most important mitigation is to never take a photo or create a digital copy of a cryptocurrency wallet recovery phrase. These phrases should be written down on paper and stored in a secure physical location (e.g., a safe).
2. Scrutinize App Permissions: Be critical of the permissions that mobile apps request. If a calculator app asks for access to your contacts and photos, it is a major red flag. Only grant permissions that are essential for the app's core functionality.
3. Use Reputable Applications: Stick to well-known, highly-rated applications from reputable developers. While this is not a foolproof method (as SparkCat demonstrates), it reduces the risk compared to downloading obscure apps.
4. Use Hardware Wallets: For significant cryptocurrency holdings, use a hardware wallet. This keeps your private keys offline and secure, making them immune to malware on your phone or computer.