Apps Hide a Stealthy Crypto‑Theft Tool

New studies reveal a recent version of the SparkCat malware slipping into apps on both iOS and Android stores.
The program masquerades as everyday utilities—messaging tools, food delivery apps—and quietly scans users’ photo libraries for images that contain cryptocurrency wallet recovery phrases.

• Infections found:
• Two titles on Apple’s App Store
• One title on Google Play

All targeted mainly at crypto users in Asia.

iOS Strain

• Looks for English mnemonic phrases, broadening the danger beyond local markets.
• Targets anyone who stores a phrase in an image.

Android Strain

• Adds extra layers of code obfuscation: virtualization and cross‑platform languages to dodge analysis.
• Searches for Japanese, Korean, and Chinese keywords, indicating a clear focus on Asian markets.

How It Works

The malware’s core trick is optical‑character‑recognition (OCR).
Once it finds a phrase, the image is sent to an attacker’s server.

• First noted by security researchers in early 2025.
• Latest tweaks show the threat is still evolving.

Analysts suspect a Chinese‑speaking operator behind the operation, based on language clues and code similarities.

What Users Should Do

• Avoid granting photo‑gallery access to any app unless absolutely necessary.
• Install trusted security tools on phones.
• Stay cautious about app permissions, especially when downloading free utilities that request broad access.

This new variant reminds us that even legitimate‑looking apps can hide dangerous code, and vigilance is key to protecting digital wallets.