SparkCat malware returns to App Store and Google Play with OCR crypto wallet stealer

A new variant of SparkCat has been found on the Apple App Store and Google Play. Kaspersky researchers discovered the trojan, which uses optical character recognition (OCR) to steal cryptocurrency wallet recovery phrases from photo galleries. Two infected iOS apps and one Android app were identified, primarily targeting crypto holders in Asia.

SparkCat was first documented by Kaspersky in February 2025. Its return over a year later, with improved obfuscation, confirms the malware is actively maintained and evolving.

The trojan conceals itself inside seemingly legitimate apps. Enterprise messengers and food delivery services were among the cover identities. Once installed, SparkCat requests access to the photo gallery, then scans stored images with an OCR module looking for text that matches mnemonic recovery phrases.

The updated variant of SparkCat requests access to view photos in a user's smartphone gallery in certain scenarios — just like the very first version of the Trojan. It analyzes the text in stored images using an optical character recognition module.

— Sergey Puzan, researcher, Kaspersky

Recovery phrases are typically 12- or 24-word sequences defined by the BIP-39 standard. They restore full access to a crypto wallet. Many holders photograph their paper backups as a convenience shortcut, creating exactly the digital copy SparkCat is built to find.

When the stealer finds matching keywords in an image, it sends the photo to an attacker-controlled server.

The updated Android variant adds code virtualization and cross-platform programming languages to hinder analysis. It scans for Japanese, Korean, and Chinese keywords, pointing to an Asian-focused strategy.

On iOS, SparkCat takes a different approach. It scans for English-language mnemonic phrases, which Kaspersky notes makes it potentially broader in reach. English seed words appear in wallets worldwide regardless of the holder's location.

If the stealer finds relevant keywords, it sends the image to the attackers. Considering the similarities of the current sample and the previous one, we believe that the developers of the new version of malware are the same.

— Sergey Puzan, researcher, Kaspersky

Kaspersky's original February 2025 report assessed the operation was run by a Chinese-speaking operator. The company described SparkCat at the time as one of the first OCR-based crypto stealers found on the Apple App Store.

SparkCat is part of a broader mobile trend targeting cryptocurrency holders. The REF1695 operation we covered this week used fake installers to deploy crypto miners and RATs. Clipboard hijackers replace wallet addresses during copy-paste. Fake wallet apps harvest credentials directly.

SparkCat's OCR approach is more passive. It does not require the user to interact with crypto software at all. The trojan scans the photo gallery silently in the background while disguised as a legitimate app.

Detecting this type of malware through app store review is inherently difficult. Photo library access is a common permission for messengers, food delivery, and social media apps. The malicious OCR behaviour activates only after installation and is not visible during static code review. The new variant's code virtualization and cross-platform language choices further complicate automated scanning.

SparkCat targets the exact moment a security practice fails. You write the seed phrase on paper, good. Then you photograph it "just in case," and the paper backup becomes a digital asset sitting in your camera roll. One year, new obfuscation layers, same developer. This operation is not going away.

— Artem Safonov, Threat Analyst at AnonHaven

Kaspersky did not specify whether Apple and Google have removed the infected apps from their stores. The names and download counts of the infected apps have not been disclosed.