SparkCat malware variant in App Store and Google Play apps steals wallet recovery phrases
Malware Activity
Summary
Hide ▲
Show ▼
The SparkCat malware resurfaced in a new variant inside apps on the Apple App Store and Google Play Store, increasing the risk of mobile crypto wallet theft. The malware hides in benign-looking software and uses OCR to scan photo galleries for cryptocurrency wallet recovery phrases. Kaspersky said the iOS build may reach users beyond Asia, while the Android build adds obfuscation layers to hinder analysis.
Related Happenings
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/Service
H score11
First: 03.07.2026 12:35
Last: 03.07.2026 12:35
Sources 1
About this happening:
**Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Google Play Protect adds warnings and app disabling for compromised SDK abuse
Security Tool/ServiceAbout this happening: **Google Play Protect** was updated in **July 2026** to **warn Android users automatically** and **disable apps** tied to **compromised SDKs**, limiting abuse of consumer devices...
Bright Data iOS SDK teardown reveals unauthenticated scraping relay and VPN bypass
Technical Analysis
H score45
First: 06.06.2026 11:29
Last: 06.06.2026 11:29
Sources 1
About this happening:
Researchers **reverse-engineered Bright Data's iOS SDK** and found it can turn consumer devices into **exit nodes** for web-scraping traffic. The teardown showed the job channel h...
Bright Data iOS SDK teardown reveals unauthenticated scraping relay and VPN bypass
Technical AnalysisAbout this happening: Researchers **reverse-engineered Bright Data's iOS SDK** and found it can turn consumer devices into **exit nodes** for web-scraping traffic. The teardown showed the job channel h...
BTMOB Android RAT no-code builder malware activity
Malware Activity
H score28
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
**BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
Latest development: 29.05.2026 00:10
BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.
Trapdoor Android malvertising and ad-fraud campaign
Campaign
H score39
First: 19.05.2026 19:38
Last: 19.05.2026 19:38
Sources 1
About this happening:
The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Trapdoor Android malvertising and ad-fraud campaign
CampaignAbout this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...
Android 17 expands platform security and privacy protections
Security Tool/Service
H score15
First: 12.05.2026 20:00
Last: 12.05.2026 20:00
Sources 1
About this happening:
**Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Android 17 expands platform security and privacy protections
Security Tool/ServiceAbout this happening: **Android 17** will add a broad set of **Google**-backed security and privacy controls next month, reducing exposure to **banking scam calls**, **device theft**, and **OTP theft**...
Timeline
-
03.04.2026 12:10 2 articles · 3mo ago
Kaspersky identifies new SparkCat variant in App Store and Google Play apps
Initial DisclosureKaspersky researchers identified a new SparkCat variant in apps on the Apple App Store and Google Play Store, where the malware hides in benign-looking software and uses OCR to scan photo galleries for cryptocurrency wallet recovery phrases. The Android build adds code virtualization and other obfuscation layers, scans Japanese, Korean, and Chinese keywords, and primarily targets cryptocurrency users in Asia, while the iOS build scans English mnemonic phrases and may affect users regardless of region. SparkCat had first been documented in February 2025 as an OCR-enabled trojan that exfiltrates images containing wallet recovery phrases from photo libraries.
Show sources
- New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images — thehackernews.com — 03.04.2026 12:10
- New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images — thehackernews.com — 03.04.2026 12:10