SparkCat Mobile Malware in App Stores Steals Crypto Wallet Seed Phrase Images
A new SparkCat malware variant was discovered in apps distributed through both the Apple App Store and Google Play Store, showing the mobile threat remains active and under development. Researchers found the malware embedded in seemingly legitimate applications, including enterprise messaging and food delivery apps, where it covertly scans users’ photo galleries for cryptocurrency wallet recovery phrases using OCR and sends matching images to attacker-controlled servers.
Kaspersky identified two infected iOS apps and one infected Android app, with the campaign primarily targeting cryptocurrency users in Asia. The iOS variant searches for English mnemonic phrases, while the Android version looks for Japanese, Korean, and Chinese keywords and adds stronger obfuscation such as code virtualization and cross-platform languages. Researchers assess the operation is likely tied to the same Chinese-speaking threat actor previously linked to SparkCat.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Apple and Google remove SparkCat-infected apps from official stores
After Kaspersky reported the malicious applications, Apple and Google removed the identified SparkCat-laced apps from the App Store and Google Play. The takedown affected apps including SafeW on iOS and SafeX on Android that had been used to steal cryptocurrency wallet recovery phrases.
Researchers link updated SparkCat to earlier Chinese-speaking operator
Analysis of the new variant found stronger Android obfuscation, including code virtualization and cross-platform languages, indicating continued development by a capable threat actor. Researchers assessed the operation is likely tied to the same Chinese-speaking actors previously associated with SparkCat.
Kaspersky discovers new SparkCat variant in App Store and Google Play apps
Kaspersky researchers identified a new SparkCat variant embedded in seemingly legitimate iOS and Android applications distributed through the Apple App Store and Google Play Store. The malware uses OCR to scan photo galleries for cryptocurrency wallet recovery phrases and exfiltrate matching images to attacker-controlled servers.
SparkCat malware first identified targeting iOS and Android
The SparkCat trojan was first identified more than a year before April 2026 as malware targeting both iOS and Android devices. This earlier discovery established the original campaign later linked to the newly observed variant.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
SparkCat refait surface : un cheval de Troie cryptophage échappe ...
zdnet.fr
Open sourceSparkCat malware returns on app stores, targeting cryptocurrency users | brief | SC Media
scworld.com
Open sourceNew SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
SparkCat Stealer Reached Google Play and Apple App Store
Researchers uncovered **SparkCat**, a cross-platform malware campaign that embedded malicious Android SDKs and iOS frameworks into apps distributed through both official and unofficial marketplaces, including **Google Play** and **Apple’s App Store**. The malware used **Google ML Kit OCR** to scan victims’ photo galleries for cryptocurrency wallet recovery phrases, then selectively exfiltrated matching images to attacker-controlled infrastructure. Infected Android apps on Google Play were downloaded more than **242,000** times, and researchers described the iOS findings as the **first known case of a stealer discovered in Apple’s App Store**. SparkCat appears to have been active since at least **March 2024** and targeted users across **Europe and Asia** using multilingual keyword lists and localized dictionaries to identify seed phrases. The campaign also used obfuscation and a **Rust-based custom C2 protocol** to hinder analysis and manage communications. Following disclosure, **Apple removed the malicious iOS apps on 2025-02-06**, and **Google removed the malicious Android apps on 2025-02-07**.
Jun 29, 2026
FakeWallet iOS Apps in Apple App Store Stole Cryptocurrency Seed Phrases
Researchers identified a **FakeWallet** campaign that placed at least **26 malicious iOS apps** in Apple’s App Store, where they impersonated well-known cryptocurrency wallets including **MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie**. The apps primarily targeted users in **China**, taking advantage of the fact that many legitimate crypto wallet apps were unavailable in the local App Store, and used typosquatting, fake branding, and phishing flows to redirect victims to browser-based credential theft pages or trojanized wallet installers. Investigators said the operation had likely been active since at least late 2025, and Apple was notified and removed several of the identified apps. The malware used multiple techniques to steal wallet secrets from both hot-wallet and cold-wallet companion apps, including **malicious `dylib` injection**, executable hooking, provisioning profiles, and **React Native code tampering**. For hot wallets, the implants scraped mnemonic seed phrases and private keys directly from wallet interfaces; for Ledger-themed variants, the apps displayed convincing in-app prompts and fake verification pages to trick users into entering recovery phrases. Stolen data was **RSA PKCS #1-encrypted**, Base64-encoded, and sent to attacker-controlled servers, and researchers assessed the activity may be linked to the **SparkKitty** threat based on shared modules, Chinese-language artifacts, similar fake App Store-style distribution, and overlapping cryptocurrency theft objectives.
Jun 29, 2026
Mobile malware and phishing campaigns abuse AI branding and Android tooling to steal credentials and surveil victims
Multiple mobile-focused threats were reported spanning **Android banking malware**, **iOS credential-harvesting via App Store listings**, and **Android espionage via trojanized crisis apps**. A new Android banking trojan marketed as **Mirax Bot** was advertised on underground forums as a **Malware-as-a-Service (MaaS)** offering, with claimed capabilities including **700+ app injects**, **Hidden VNC (HVNC)** for stealthy remote control, and features positioned for **account takeover (ATO)** and large-scale financial fraud; researchers noted the feature list is based on seller claims and not yet independently verified. Separately, researchers described **PromptSpy**, characterized as an Android threat that uses **generative-AI techniques** to improve phishing and fraud by generating more convincing social-engineering content and automating deceptive interactions on-device. In parallel, a phishing operation targeted iPhone users by impersonating **ChatGPT** and **Google Gemini** in emails that directed victims to **fraudulent iOS apps hosted on Apple’s App Store**; the apps (including *GeminiAI Advertising* `id6759005662` and *Ads GPT* `id6759514534`) presented a fake **Facebook login** flow to harvest credentials. Another campaign, **RedAlert**, weaponized a trojanized version of Israel’s “Red Alert” emergency app distributed as `RedAlert.apk` via **SMS phishing (smishing)**, pushing victims to sideload the APK; analysis reported the app mimicked the legitimate interface while requesting high-risk permissions (e.g., **SMS**, contacts, precise **GPS**) consistent with covert surveillance and data theft. A separate Kaspersky post focused on consumer guidance for disabling AI assistants and broader privacy concerns, and does not materially add incident-specific threat intelligence to the mobile malware/phishing reporting.
Jun 29, 2026