[{"data":1,"prerenderedAt":114},["ShallowReactive",2],{"article-slug-sparkcat-malware-resurfaces-on-app-stores-stealing-crypto-wallet-phrases":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":30,"sources":31,"events":54,"mitre_techniques":55,"mitre_mitigations":67,"d3fend_countermeasures":73,"iocs":85,"cyber_observables":86,"tags":98,"extract_datetime":103,"article_type":104,"impact_scope":105,"pub_date":46,"reading_time_minutes":113,"createdAt":103,"updatedAt":103},"7b62784b-41e2-4d2f-9149-202526a2bab9","sparkcat-malware-resurfaces-on-app-stores-stealing-crypto-wallet-phrases","SparkCat Mobile Malware Returns, Stealing Crypto Phrases from Photos on iOS and Android","SparkCat Malware Resurfaces on App Stores, Stealing Crypto Wallet Phrases from Photos","A new variant of the SparkCat mobile trojan has been discovered on both the Apple App Store and Google Play Store, disguised as legitimate applications like enterprise messengers. Security researchers at Kaspersky report that the malware, which primarily targets users in Asia, uses a novel technique to steal cryptocurrency. After gaining access to a user's photo gallery, SparkCat employs Optical Character Recognition (OCR) to scan all images, searching for text that matches the format of a cryptocurrency wallet recovery phrase. If a potential phrase is found, the image is exfiltrated to an attacker-controlled server, giving the threat actor complete control over the victim's crypto assets. The malware's ability to bypass the security vetting of both major app stores highlights a significant threat to mobile users.","## Executive Summary\n\nSecurity researchers at **[Kaspersky](https://www.kaspersky.com)** have identified a new, updated variant of the **SparkCat** mobile malware on both the official **[Apple](https://www.apple.com/)** App Store and **[Google](https://play.google.com/store)** Play Store. The malware was found embedded in applications masquerading as legitimate tools, such as enterprise chat and food delivery services, and appears to be primarily targeting users in Asia. \n\nSparkCat employs a unique and insidious method for theft: it uses Optical Character Recognition (OCR) technology to scan the victim's entire photo library. Its goal is to find images, such as screenshots, that contain the 12 or 24-word recovery phrases for cryptocurrency wallets. Upon finding a match, the malware exfiltrates the image to a command-and-control (C2) server, granting the attackers full access to steal the victim's digital assets. The reappearance of this sophisticated malware on official app stores demonstrates the ongoing challenge of policing these ecosystems against determined, financially motivated threat actors.\n\n---\n\n## Threat Overview\n\nSparkCat, first identified in 2025, represents a specialized threat to cryptocurrency users. Unlike traditional mobile banking trojans that use overlays to steal credentials, SparkCat targets the common but insecure practice of users taking screenshots of their wallet recovery phrases for backup. The threat actor, believed to be a Chinese-speaking group, has successfully bypassed the automated and manual review processes of both Apple and Google to get their malicious apps onto the stores.\n\nThe attack begins when a user downloads one of the trojanized applications and grants it permission to access their photo gallery—a seemingly innocuous request for many app types. Once access is granted, the malware begins its main routine in the background. It iterates through every image file in the user's library and applies an OCR model to extract any text. This text is then compared against patterns that match common cryptocurrency wallet recovery phrase formats. If a likely phrase is identified, the entire image file is uploaded to the attacker's C2 server.\n\n## Technical Analysis\n\nThe malware's operation is simple but effective:\n\n1.  **Initial Access:** The user is tricked into installing a malicious application from an official app store. This is a form of [`T1475 - IO Hijacking`](https://attack.mitre.org/techniques/T1475/) (in the mobile context, tricking the user into granting permissions).\n2.  **Defense Evasion / Collection:** The malware requests permissions to access the user's photo library. This is a standard mobile application behavior, making it less likely to arouse suspicion. This aligns with [`T1452 - Data from Local System`](https://attack.mitre.org/techniques/T1452/).\n3.  **Collection:** The core of the attack involves using an embedded OCR engine to scan image files for specific text patterns (mnemonics/recovery phrases). This is a novel application of [`T1452 - Data from Local System`](https://attack.mitre.org/techniques/T1452/).\n4.  **Exfiltration:** Upon finding a match, the malware exfiltrates the image file containing the recovery phrase to a remote C2 server. This corresponds to [`T1041 - Exfiltration Over C2 Channel`](https://attack.mitre.org/techniques/T1041/).\n5.  **Impact:** With the recovery phrase, the attacker has complete control over the victim's cryptocurrency wallet and can transfer all funds out of it.\n\n> The use of OCR to find secrets in images is a clever technique that bypasses security controls focused on file-based data or direct input theft. It exploits user behavior rather than a technical vulnerability in the OS.\n\n## Impact Assessment\n\nThe impact on victims is direct and often irreversible financial loss. Once a cryptocurrency transaction is made, it cannot be reversed. Victims can lose their entire crypto portfolio in a matter of minutes after their recovery phrase is compromised. The targeting of users in Asia suggests a regional focus, but the malware could easily be adapted for global campaigns. The presence of SparkCat on official app stores erodes user trust and demonstrates that even these curated environments are not immune to sophisticated threats, posing a risk to millions of mobile users who store sensitive information as images on their devices.\n\n## Cyber Observables for Detection\n\nDetection on a non-jailbroken mobile device is very difficult for an end-user. Detection relies on network-level and vendor-side analysis.\n\n| Type | Value | Description |\n| --- | --- | --- |\n| Network Traffic Pattern | High volume of image uploads from a non-photo app | An application like a messenger or delivery service unexpectedly uploading numerous images to an unknown server is highly suspicious. |\n| String Pattern | Known SparkCat C2 domains | Network security solutions can block connections to C2 domains identified by Kaspersky. (Specific domains not public). |\n| Application Name | Specific app names identified by Kaspersky | The apps are typically removed quickly, but their bundle IDs can be used for historical detection. |\n\n## Detection & Response\n\n*   **For Users:**\n    *   Be cautious about which apps you grant photo library access to. If an app's functionality does not require photo access, deny the permission.\n    *   Regularly review the permissions of your installed applications.\n    *   If you suspect an infection, immediately revoke photo access for the suspicious app, check your crypto wallets for unauthorized transactions, and delete the app.\n\n*   **For Enterprise (MDM):**\n    *   Use Mobile Device Management (MDM) and Mobile Threat Defense (MTD) solutions to monitor for and block known malicious applications.\n    *   Monitor network logs from mobile devices for anomalous data exfiltration patterns.\n\n## Mitigation\n\nMitigation relies heavily on user awareness and secure practices for managing cryptocurrency.\n\n1.  **Never Store Recovery Phrases Digitally:** The most important mitigation is to **never** take a photo or create a digital copy of a cryptocurrency wallet recovery phrase. These phrases should be written down on paper and stored in a secure physical location (e.g., a safe).\n2.  **Scrutinize App Permissions:** Be critical of the permissions that mobile apps request. If a calculator app asks for access to your contacts and photos, it is a major red flag. Only grant permissions that are essential for the app's core functionality.\n3.  **Use Reputable Applications:** Stick to well-known, highly-rated applications from reputable developers. While this is not a foolproof method (as SparkCat demonstrates), it reduces the risk compared to downloading obscure apps.\n4.  **Use Hardware Wallets:** For significant cryptocurrency holdings, use a hardware wallet. This keeps your private keys offline and secure, making them immune to malware on your phone or computer.","New 'SparkCat' malware found on Apple App Store & Google Play! 📱 It uses OCR to scan your photos for crypto wallet recovery phrases and drains your funds. ⚠️ Never save your seed phrase as an image! #MobileSecurity #Malware #Crypto","A new variant of the SparkCat malware has been found on the Apple App Store and Google Play, using optical character recognition (OCR) to steal cryptocurrency wallet recovery phrases from users' photos.",[13,14,15],"Mobile Security","Malware","Phishing","high",[18,21,25,28],{"name":19,"type":20},"SparkCat","malware",{"name":22,"type":23,"url":24},"Kaspersky","security_organization","https://www.kaspersky.com",{"name":26,"type":27},"Apple App Store","product",{"name":29,"type":27},"Google Play Store",[],[32,38,43,49],{"url":33,"title":34,"date":35,"friendly_name":36,"website":37},"https://thehackernews.com/2026/04/new-sparkcat-variant-in-ios-android.html","New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images","2026-04-06","The Hacker News","thehackernews.com",{"url":39,"title":40,"date":35,"friendly_name":41,"website":42},"https://www.bleepingcomputer.com/news/security/sparkcat-malware-on-app-stores-steals-crypto-phrases-from-images/","SparkCat malware on App Stores steals crypto phrases from images","BleepingComputer","bleepingcomputer.com",{"url":44,"title":45,"date":46,"friendly_name":47,"website":48},"https://www.zdnet.com/article/this-malware-scans-your-photos-for-crypto-wallet-phrases-and-its-on-the-app-store/","This malware scans your photos for crypto wallet phrases - and it's on the App Store","2026-04-07","ZDNet","zdnet.com",{"url":50,"title":51,"date":46,"friendly_name":52,"website":53},"https://securelist.com/sparkcat-returns-to-app-stores/112345/","SparkCat Returns to Official App Stores with New Tricks","Kaspersky Securelist","securelist.com",[],[56,60,64],{"id":57,"name":58,"tactic":59},"T1452","Data from Local System","Collection",{"id":61,"name":62,"tactic":63},"T1041","Exfiltration Over C2 Channel","Exfiltration",{"id":65,"name":66,"tactic":59},"T1475","IO Hijacking",[68],{"id":69,"name":70,"description":71,"domain":72},"M1017","User Training","Educating users to never store recovery phrases digitally and to be skeptical of app permissions is the primary defense.","enterprise",[74,79],{"technique_id":75,"technique_name":76,"url":77,"recommendation":78,"mitre_mitigation_id":69},"D3-PDS","Prohibit Digital Storage","https://d3fend.mitre.org/technique/d3f:ProhibitDigitalStorage","The most effective countermeasure against SparkCat is not technical, but behavioral. Users must be educated and adhere to a strict policy of never storing cryptocurrency recovery phrases in any digital format. This includes not taking screenshots, not saving them in password managers, not emailing them to oneself, and not storing them in a text file. Recovery phrases should be written on a physical medium (paper or metal) and secured in a safe place, like a physical safe. This completely removes the data that SparkCat is designed to steal, rendering the malware ineffective even if it successfully infects a device. Security awareness campaigns should specifically highlight the risk of storing seed phrases in photos.",{"technique_id":80,"technique_name":81,"url":82,"recommendation":83,"mitre_mitigation_id":84},"D3-ACH","Application Configuration Hardening","https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening","Mobile users must practice strict permission management for all applications. Before granting an app access to the photo library, users should critically assess whether the app truly needs that permission for its core function. For example, a food delivery app has no legitimate reason to require access to your entire photo library. On both iOS and Android, users can review and revoke permissions for already-installed apps in the system settings. Furthermore, when an app does require photo access, users should leverage newer OS features that allow granting access to only specific, selected photos rather than the entire library. This principle of least privilege for app permissions can significantly limit the scope of what malware like SparkCat can access.","M1054",[],[87,93],{"type":88,"value":89,"description":90,"context":91,"confidence":92},"network_traffic_pattern","Anomalous image uploads from non-gallery apps","A mobile application that is not a photo management or social media app uploading a large number of images is highly suspicious.","Mobile Threat Defense (MTD) solutions, network firewalls, proxy logs.","medium",{"type":94,"value":95,"description":96,"context":97,"confidence":92},"api_endpoint","Photo library access API calls","Monitoring which applications are frequently accessing the entire photo library, rather than just the camera or a single image.","Mobile OS-level security tools, application analysis sandbox.",[13,14,19,99,100,101,102,22],"iOS","Android","Cryptocurrency","OCR","2026-04-07T15:00:00.000Z","NewsArticle",{"geographic_scope":106,"countries_affected":107,"industries_affected":109,"other_affected":111},"regional",[108],"Asia",[110],"Finance",[112],"Cryptocurrency users",5,1775683841907]