CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

SparkCat malware variant expands OCR-based crypto recovery phrase theft to iOS and enhanced Android targets

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A newly identified variant of the SparkCat malware has been observed on the Apple App Store and Google Play Store, camouflaged within legitimate-looking applications such as enterprise messengers and food delivery services. The malware specifically targets cryptocurrency users by scanning mobile device photo galleries for images containing wallet recovery phrases using optical character recognition (OCR). The iOS version scans for English mnemonics, broadening its potential geographic impact, while the Android iteration focuses on Japanese, Korean, and Chinese keywords. Exfiltrated images are sent to attacker-controlled servers.

Timeline

  1. 03.04.2026 12:10 1 articles · 3h ago

    SparkCat malware variant with OCR-based wallet recovery phrase theft identified on iOS and enhanced Android applications

    SparkCat malware has evolved into a cross-platform threat targeting cryptocurrency users via mobile applications on Apple App Store and Google Play Store. The iOS variant scans photo galleries for wallet recovery phrase images containing English mnemonics, while the Android version incorporates improved obfuscation and targets Asian languages (Japanese, Korean, Chinese). OCR is used to analyze images, and matching files are exfiltrated to attacker-controlled infrastructure. Initial assessment links the campaign to a Chinese-speaking threat actor, highlighting the ongoing operational activity of SparkCat since its initial documentation in early 2025.

    Show sources
    Open in new tab

Information Snippets