Recently, cyber security researchers have alerted about a renewed variant of malware known as SparkCat that has reappeared in official mobile application stores: both in the App Store Apple as in the Google Play Store. What is disturbing is that installers are not suspicious applications to the naked eye: they are camouflaged within programs that seem safe, such as business messengers or food delivery services, and act quietly in the background.
SparkCat's most dangerous malicious function is its ability to scan the device's photo galleries in search of cryptomoneda coin recovery phrases. This type of phrase - the famous "seed" or mnemonic - allows to restore control over digital wallets; if they fall into the hands of an attacker, asset theft can be practically instant. Researchers of the Russian company Kaspersky They noted the detection of several infected applications on both platforms and explained how malware sends only images containing relevant text to operators controlled servers.
A significant difference between the variants is the linguistic and scope strategy. The version that affects iOS was designed to identify mnemonic phrases in English, making it potentially broader in scope, as it does not depend on a specific regional language. For its part, the Android variant incorporates word search mechanisms in Japanese, Korean and Chinese, pointing to a focus on Asian users.
In addition to language patterns, technical changes in the Android version indicate an evolution in malware sophistication. Developers have added multiple layers of ofuscation to complicate their analysis: from virtualization of the code to the use of multi-platform languages and tools that seek to evade the static and dynamic inspection used by response teams. In other words, SparkCat has learned to hide better and to slow down or confuse analysts.
The exfiltration vector is based on an optical character recognition module (OCR) that analyzes the images stored in the device. When the OCR detects text related to a recovery sentence, the relevant image is transferred to the attacker's server. This technique was first described by Kaspersky in February 2025 and now comes back with improvements, confirming that the malicious project is active and in continuous development.
The researchers have linked the operation to a Chinese-speaking actor and, according to their findings, the similarities between the old and the new samples suggest that those responsible are the same operators or a very related group. The analysis of behaviors and infection chains led experts such as Sergey Puzan to point out the need for mobile safety tools and to pay attention to the permits granted to applications. In his statements to the press, Puzan stressed that malware requests access to photos in certain scenarios and then uses OCR to decide what to send to attackers.
From a practical perspective, this puts recommendations on the table again that any cryptomoneda user should take seriously. Storing a photographic copy of the recovery phrase on the phone makes that copy a target. Hardware wallets and cold storage practices remain the most robust defenses against this type of theft. In addition, carefully review the permissions requested by the applications before installing them and distrust apps that request access to the gallery when they have no clear reason to do so significantly reduces the risk.
Official stores have improved their controls, but incidents show that they are not infallible: malicious applications can pass initial reviews or appear after updates that introduce hostile code. It is therefore recommended to complement native protections with mobile security solutions and to check the reputation of developers before installing. Apple resources on app review and protection tools like Google Play Protect may mitigate risks, although they do not replace the user's prudence.
For those who manage digital assets, it is also appropriate to follow specialized safety guides: manufacturers of purse and platforms such as MetaMask and hardware manufacturers like Ledger offer clear recommendations on how to save the mnemonic phrases and minimize exposure. And, beyond cryptomoneda, keeping the operating system and up-to-date applications reduces the opportunity window for malware to exploit known vulnerabilities.
SparkCat's reappearance recalls that the mobile threat is dynamic: the authors not only re-use ideas, but perfect them. The research published by Kaspersky and the coverage of specialized media such as The Hacker News show that these types of campaigns seek to maximize their impact with relatively simple but effective techniques when finding low-risk users.
In short, the lesson is clear: the comfort of having everything on the phone should not be translated into negligence with the keys (seed phrases) of our digital portfolios. Save a recovery sentence in a mobile photo is inviting the robbery. Taking basic digital hygiene measures and betting on off-line security and storage solutions can make the difference between maintaining or losing control of assets.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...