Find notable cyber news and cases, enriched with sources, timelines, and signals.

SparkCat malware variant in App Store and Google Play apps steals wallet recovery phrases

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 1 articles

Summary

Hide ▲

The SparkCat malware resurfaced in a new variant inside apps on the Apple App Store and Google Play Store, increasing the risk of mobile crypto wallet theft. The malware hides in benign-looking software and uses OCR to scan photo galleries for cryptocurrency wallet recovery phrases. Kaspersky said the iOS build may reach users beyond Asia, while the Android build adds obfuscation layers to hinder analysis.

Related Happenings

Google Play Protect adds warnings and app disabling for compromised SDK abuse

Security Tool/Service
H score11 First: 03.07.2026 12:35 Last: 03.07.2026 12:35 Sources 1

About this happening: **Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...

Bright Data iOS SDK teardown reveals unauthenticated scraping relay and VPN bypass

Technical Analysis
H score45 First: 06.06.2026 11:29 Last: 06.06.2026 11:29 Sources 1

About this happening: Researchers **reverse-engineered Bright Data's iOS SDK** and found it can turn consumer devices into **exit nodes** for web-scraping traffic. The teardown showed the job channel h...

BTMOB Android RAT no-code builder malware activity

Malware Activity
H score28 First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

About this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...

Latest development: 29.05.2026 00:10

BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.

Trapdoor Android malvertising and ad-fraud campaign

Campaign
H score39 First: 19.05.2026 19:38 Last: 19.05.2026 19:38 Sources 1

About this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...

Android 17 expands platform security and privacy protections

Security Tool/Service
H score15 First: 12.05.2026 20:00 Last: 12.05.2026 20:00 Sources 1

About this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...

Timeline

  1. 03.04.2026 12:10 2 articles · 3mo ago

    Kaspersky identifies new SparkCat variant in App Store and Google Play apps

    Initial Disclosure

    Kaspersky researchers identified a new SparkCat variant in apps on the Apple App Store and Google Play Store, where the malware hides in benign-looking software and uses OCR to scan photo galleries for cryptocurrency wallet recovery phrases. The Android build adds code virtualization and other obfuscation layers, scans Japanese, Korean, and Chinese keywords, and primarily targets cryptocurrency users in Asia, while the iOS build scans English mnemonic phrases and may affect users regardless of region. SparkCat had first been documented in February 2025 as an OCR-enabled trojan that exfiltrates images containing wallet recovery phrases from photo libraries.

    Show sources