Two apps on the Apple App Store. One on Google Play. That’s how many ways SparkCat malware just waltzed back into your phone, over a year after Kaspersky first clocked it.
And it’s not picking pockets—it’s raiding your photo gallery for crypto wallet recovery phrases. Those 12-24 word seeds you idiotically screenshot? Yeah, gone.
Kaspersky’s researchers nailed it first, spotting these trojans masquerading as enterprise chat apps and food delivery services. Primarily gunning for crypto users in Asia. But the iOS version? It’s scanning for English mnemonics. Broader net. Smarter thieves.
“The iOS variant, however, takes a different approach as it scans for cryptocurrency wallet mnemonic phrases, which are in English,” Kaspersky notes. “This makes the iOS variant potentially broader in reach, as it can affect users regardless of their region.”
How Did SparkCat Dodge App Store Review—Again?
Look, Apple’s got this aura of untouchability. Garden walled to hell. Yet here we are, February 2025 original SparkCat discovery, and now an upgraded beast slips through. Android’s no saint either—obfuscation layers piled high, code virtualization, cross-platform tricks to flip the bird at analysts.
The Android tweak? Scans Japanese, Korean, Chinese keywords. Laser-focused on Asia’s crypto boom. But iOS keeps it universal. Sneaky.
Kaspersky’s Sergey Puzan spells it out:
“The updated variant of SparkCat requests access to view photos in a user’s smartphone gallery in certain scenarios — just like the very first version of the Trojan,” Kaspersky researcher Sergey Puzan told The Hacker News. “It analyzes the text in stored images using an optical character recognition module.”
OCR model. Exfiltrates images to attacker servers. Same playbook, refined. And get this—these aren’t script kiddies. Chinese-speaking operators, per Kaspersky. Actively evolving. That’s not a hobby project; that’s a business.
Here’s my hot take, absent from the press release: this reeks of XcodeGhost 2.0. Remember 2015? Malware-infected Xcode builds hit the App Store, snagging 250 million downloads. Apple patted itself, promised fixes. Ten years later? Same gallery access ploy works. Gatekeepers are napping. Or worse, under-resourced against nation-state caliber obfuscation.
Why Asia’s Crypto Whales Are Prime Targets
Asia’s crypto scene? Exploding. Japan, Korea, China—underground hubs despite bans. Billions in play. Screenshots of seeds? Common as dirt. Users treat ‘em like fridge magnets.
SparkCat doesn’t brute-force wallets. No phishing links. Just asks for photos—“Hey, enterprise messenger needs gallery access for… reasons.” You tap yes. Boom. OCR scans, keywords match (BIP39 standards, anyone?), image zips to C2 server.
Android version’s regional keywords scream focus: kanji for wallet terms, Hangul phrases. iOS goes global with English. Prediction: if unpatched, we’ll see Euro variants by summer. OCR tech’s dirt cheap now—open-source models everywhere. Threat actors scale this overnight.
But wait—“enterprise messengers”? Food delivery? Genius camouflage. Who denies photo access to DoorDash knockoff? You’re busy ordering ramen, not auditing permissions.
Short answer: you’re screwed if you screenshot seeds. Hardware wallets or bust. But that’s not the point.
The point? App stores are sieves for sophisticated malware. SparkCat’s back proves it. Kaspersky urges security solutions—duh. But really, it’s on you to sideload paranoia.
Is Your Phone Already Compromised?
Check your apps. Enterprise chat? Food delivery oddities? Permissions for photos? Revoke ‘em. But SparkCat’s evolved—hides deep, virtualization shields it from AV.
Kaspersky links the new samples to originals. Same devs. Persistent campaign. And it’s not alone—malware families like this multiply. Remember RedLine? ClipBanker? All gallery-raiding kin.
Corporate spin? Apple’ll say “removed swiftly.” Google too. But damage done. Victims drained before takedown. How many? Unknown. But Asia’s crypto theft reports spiked last quarter—coincidence?
My unique gripe: this exposes crypto’s dirty secret. “Not your keys, not your coins” chants ring hollow when your phone’s the weak link. Wallets need built-in gallery shields. MetaMask, Trust Wallet—where’s your OCR blocker?
What Apple and Google Won’t Admit
Review processes? Laughable against pros. Human reviewers skim. Automated scans miss virtualized code. Cross-platform langs? Kotlin mixed with Rust obfuscation—good luck.
Bold call: SparkCat’s just the tip. State-backed actors (Chinese op, remember?) test waters. If undetected long, full campaigns roll. Billions at risk. App stores must mandate behavioral analysis—runtime monitoring. Or admit defeat.
Users, don’t wait. Audit permissions. Use app vetters like AppCensus. And for god’s sake, never screenshot seeds. Burn ‘em if you must.
This isn’t hype. It’s a wake-up. SparkCat evolved because it works. Your gallery’s a goldmine—don’t make it easy.
🧬 Related Insights
- Read more: Crooks Scout Zillow for Vacant Houses to Hijack Your Mail
- Read more: LatAm’s Hidden Cyber Wizards: Self-Taught Talent Ready to Crush the Attack Wave
Frequently Asked Questions
What is SparkCat malware? SparkCat’s a trojan in fake iOS and Android apps that uses OCR to scan photo galleries for crypto wallet recovery phrases, then steals the images.
How does SparkCat get into App Store apps? It hides in benign-looking apps like messengers or delivery services, using obfuscation like code virtualization to evade reviews.
Am I safe if I’m not in Asia? iOS version targets English phrases—global risk. Check app permissions and avoid screenshotting wallet seeds.
