Kaspersky has identified a new variant of the SparkCat Trojan lurking inside both the App Store and Google Play — roughly a year after the crypto-stealing malware was first discovered and removed from both platforms.

What the New SparkCat Variant Does

The updated Trojan conceals itself inside legitimate-looking applications, including enterprise messaging apps and a food delivery app. Once installed, it scans users’ photo galleries for cryptocurrency wallet recovery phrases using an optical character recognition module. Infected images are then transmitted to the attackers.

Kaspersky researchers found two infected apps on the App Store and one on Google Play. Malicious code has since been removed from both stores. The malware is also distributed through third-party sources, with some web pages mimicking the App Store when accessed from an iPhone.

Advanced Obfuscation Techniques

The Android variant of the updated SparkCat features multiple obfuscation layers — including code virtualisation and cross-platform programming language usage — that are rare for mobile malware. The iOS variant takes a different approach, scanning specifically for cryptocurrency wallet mnemonic phrases in English, which potentially broadens its reach beyond a single region.

The Android version also targets screenshots containing keywords in Japanese, Korean and Chinese, suggesting the campaign primarily targets cryptocurrency users in Asia.

“The SparkCat malware is an evolving mobile threat. Threat actors behind it constantly raise the complexity of the anti-analysis techniques allowing it to bypass the review process of the official app stores. Moreover, methods used by the SparkCat developers, such as code virtualisation and cross-platform programming language usage, are rare for mobile malware. This demonstrates the high skill of the threat actors.” — Dmitry Kalinin, cybersecurity expert, Kaspersky

How to Stay Protected

Kaspersky has reported the known malicious applications to both Google and Apple. The firm advises users to install reliable mobile security software, avoid storing screenshots of sensitive information such as cryptocurrency seed phrases in their device gallery, and exercise caution when downloading apps — even from official stores.