A new variant of the SparkCat trojan has been discovered on both the Apple App Store and Google Play Store, designed specifically to steal images of cryptocurrency wallet recovery phrases. Security researchers report the malware masquerades as benign applications, including enterprise messengers and food delivery services, to bypass platform security checks and trick users into installation.
Once installed, the malware’s primary objective is to gain access to a user's photos or the ability to capture the device's screen. It leverages deceptive permission requests to achieve this. After access is granted, SparkCat actively scans the device’s photo gallery for saved images of seed phrases or waits for a user to display a recovery phrase in a wallet app to capture a screenshot. These phrases, which act as a master key to a cryptocurrency wallet, are then sent to an attacker-controlled server.
The impact for victims is direct and severe: the complete and often irreversible loss of their cryptocurrency assets. The presence of this malware on official app stores highlights a persistent challenge for Google and Apple's security vetting processes. It also demonstrates a calculated effort by cybercriminals to target high-value digital assets by exploiting common user behaviors, such as screenshotting a recovery phrase for backup.
This discovery follows the initial identification of the SparkCat trojan over a year ago, indicating the malware's operators are continuously refining their techniques to evade detection. Mobile users, particularly those managing digital assets, are advised to be extremely cautious with app permissions and to avoid storing sensitive information like recovery phrases as digital images on their devices.
