Evolving mobile Trojan targets crypto wallet recovery phrases through infected apps
Kaspersky has identified a new variant of the SparkCat Trojan infiltrating both App Store and Google Play, highlighting growing concerns around mobile app security even within official distribution platforms.
The updated malware, which previously surfaced and was removed last year, has re-emerged embedded within seemingly legitimate applications, including an enterprise messaging app and a food delivery platform. While the malicious versions have since been taken down, Kaspersky noted that infected apps were also distributed through third-party websites, some designed to mimic official app stores particularly targeting iPhone users.
At its core, SparkCat is designed to steal cryptocurrency assets by scanning users’ photo galleries. The malware uses optical character recognition (OCR) technology to identify and extract sensitive information such as wallet recovery phrases. On Android devices, it searches for keywords in Japanese, Korean, and Chinese, indicating a focus on Asian markets. However, the iOS variant scans for English-language mnemonic phrases, making it a broader global threat.
“The SparkCat malware is an evolving mobile threat. Threat actors are increasing the complexity of anti-analysis techniques, enabling it to bypass official app store review processes.”
— Sergey Puzan, Cybersecurity Expert, Kaspersky
The latest version of SparkCat demonstrates a significant evolution in sophistication. According to Kaspersky researchers, it employs advanced obfuscation techniques, including code virtualization and cross-platform programming methods rarely seen in mobile malware. These enhancements allow it to evade detection and bypass traditional app review mechanisms.
Security experts warn that the malware requests access to users’ photo galleries under legitimate pretenses. Once granted, it analyzes stored images and transmits relevant data to attackers if sensitive content is detected.
Kaspersky has reported the malicious applications to both Apple and Google, reinforcing the need for continuous vigilance across app ecosystems.
The discovery underscores a critical shift in the mobile threat landscape, where attackers are increasingly targeting user behavior and exploiting trusted platforms. As mobile devices become central to financial and digital identity management, such threats highlight the importance of proactive security practices, including limiting app permissions and avoiding the storage of sensitive data like crypto seed phrases in easily accessible formats.
