SparkCat Stealer Reached Google Play and Apple App Store
Researchers uncovered SparkCat, a cross-platform malware campaign that embedded malicious Android SDKs and iOS frameworks into apps distributed through both official and unofficial marketplaces, including Google Play and Apple’s App Store. The malware used Google ML Kit OCR to scan victims’ photo galleries for cryptocurrency wallet recovery phrases, then selectively exfiltrated matching images to attacker-controlled infrastructure. Infected Android apps on Google Play were downloaded more than 242,000 times, and researchers described the iOS findings as the first known case of a stealer discovered in Apple’s App Store.
SparkCat appears to have been active since at least March 2024 and targeted users across Europe and Asia using multilingual keyword lists and localized dictionaries to identify seed phrases. The campaign also used obfuscation and a Rust-based custom C2 protocol to hinder analysis and manage communications. Following disclosure, Apple removed the malicious iOS apps on 2025-02-06, and Google removed the malicious Android apps on 2025-02-07.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Google removes malicious SparkCat Android apps from Google Play
Google removed the malicious Android applications associated with SparkCat from Google Play. The infected apps identified in Google Play had accumulated more than 242,000 downloads.
Apple removes malicious iOS apps from the App Store
Apple removed the malicious iOS applications linked to SparkCat from the App Store. Researchers described the operation as the first known case of a stealer discovered in Apple’s App Store.
SparkCat campaign begins targeting Android and iOS users
Researchers said the SparkCat malware campaign appears to have been active since at least March 2024. The campaign embedded malicious Android SDKs and iOS frameworks into apps distributed through official and unofficial app stores.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
SparkCat Mobile Malware in App Stores Steals Crypto Wallet Seed Phrase Images
A new **SparkCat** malware variant was discovered in apps distributed through both the **Apple App Store** and **Google Play Store**, showing the mobile threat remains active and under development. Researchers found the malware embedded in seemingly legitimate applications, including enterprise messaging and food delivery apps, where it covertly scans users’ photo galleries for cryptocurrency wallet recovery phrases using **OCR** and sends matching images to attacker-controlled servers. Kaspersky identified two infected iOS apps and one infected Android app, with the campaign primarily targeting cryptocurrency users in Asia. The iOS variant searches for English mnemonic phrases, while the Android version looks for Japanese, Korean, and Chinese keywords and adds stronger obfuscation such as code virtualization and cross-platform languages. Researchers assess the operation is likely tied to the same Chinese-speaking threat actor previously linked to SparkCat.
Jun 29, 2026
FakeWallet iOS Apps in Apple App Store Stole Cryptocurrency Seed Phrases
Researchers identified a **FakeWallet** campaign that placed at least **26 malicious iOS apps** in Apple’s App Store, where they impersonated well-known cryptocurrency wallets including **MetaMask, Ledger, Trust Wallet, Coinbase, TokenPocket, imToken, and Bitpie**. The apps primarily targeted users in **China**, taking advantage of the fact that many legitimate crypto wallet apps were unavailable in the local App Store, and used typosquatting, fake branding, and phishing flows to redirect victims to browser-based credential theft pages or trojanized wallet installers. Investigators said the operation had likely been active since at least late 2025, and Apple was notified and removed several of the identified apps. The malware used multiple techniques to steal wallet secrets from both hot-wallet and cold-wallet companion apps, including **malicious `dylib` injection**, executable hooking, provisioning profiles, and **React Native code tampering**. For hot wallets, the implants scraped mnemonic seed phrases and private keys directly from wallet interfaces; for Ledger-themed variants, the apps displayed convincing in-app prompts and fake verification pages to trick users into entering recovery phrases. Stolen data was **RSA PKCS #1-encrypted**, Base64-encoded, and sent to attacker-controlled servers, and researchers assessed the activity may be linked to the **SparkKitty** threat based on shared modules, Chinese-language artifacts, similar fake App Store-style distribution, and overlapping cryptocurrency theft objectives.
Jun 29, 2026
Multiple Remote Access Trojan Campaigns Target Windows and Android via Phishing, App Stores, and Social Platforms
Threat researchers reported several unrelated **RAT-focused malware campaigns** using different delivery channels and evasion techniques. **DEAD#VAX** was described as a Windows phishing operation that delivers **AsyncRAT** via purchase-order lures, abusing **IPFS-hosted VHD** files disguised as PDFs; the mounted VHD drops a multi-stage chain using **WSF**, heavily obfuscated batch scripts, and PowerShell loaders to decrypt and execute x64 shellcode **in memory** by injecting into trusted Windows processes, minimizing on-disk artifacts. Separately, analysis of **Pulsar RAT** activity described persistence via the per-user Run key (`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`), an obfuscated batch dropper in *AppData*, PowerShell-based staging, and **Donut-generated shellcode** injection into processes such as `explorer.exe`, with anti-analysis features and data theft (credentials, wallets, tokens) exfiltrated via **Discord webhooks**. On Android, two distinct campaigns were highlighted. **Anatsa** banking malware was found distributed through **Google Play** in a trojanized “document reader” app that exceeded **50,000 downloads** before detection; the initial app acts as a loader that retrieves the full banking trojan and supports credential theft and C2-driven actions, with reporting attributing discovery and tracking to **Zscaler ThreatLabz**. **Arsink RAT** was reported spreading primarily via **Telegram/Discord** and file-sharing sites (e.g., MediaFire) through fake “mod/pro” apps impersonating major brands; research attributed to **Zimperium** cited **~45,000** victim IPs across **143 countries**, **1,216** malicious APKs, and **317** Firebase Realtime Database C2 endpoints, with capabilities including SMS/OTP theft, call log and contact harvesting, location tracking, and microphone audio capture.
Jun 29, 2026