Imagine you are using a simple food delivery app or a messaging app on your phone. You think everything is fine the app is working and there is no problem. But at that moment behind the scenes a thief is secretly looking at every photo in your gallery. He is looking for the just one thingthe recovery phrase for your crypto wallet. And when he finds it? That’s it you are all gone. This is the story of SparkCat and it began in 2024 but now in 2026 a new and more dangerous version of it has emerged.
SparkCat is not a common malware. Most malware attacks directly and sending a link or creating a fake website. But SparkCat chose a different path. It targeted apps that were already present on the App Store and Google Play the place where we all think everything is safe. This is its biggest and scariest part. Russian cybersecurity company Kaspersky officially detected it for the first time in February 2025 and informed the world that this stealer malware was caught for the first time on the App Store which was always considered secure. And then a year later, in April 2026 a completely new variant of it appeared again.
A Simple Explanation How It Works
Imagine your phone is a house. In this house is a room where all your photos are kept. Now SparkCat is a thief who uses the door you open yourself to enter your house, i.e. app permissions. When you install an app and it asks Can I see your photos? you give permission. And the door is open.
What happens next is a very clever but very bad use of technology. SparkCat uses something called OCR Optical Character Recognition. Simply put this software can read text written in photos. For example, if you take a screenshot of an image and there’s something written on it, this malware reads that text. So if you’ve ever taken a screenshot of your crypto wallets recovery phrase which many people do because they don’t remember that screenshot will be scanned the phrase will be extracted, and sent directly to the attackers server. Everything happens so quietly that you dont even know anything.
Why is this recovery phrase so important? Because crypto wallets have no ban and no customer care. Whoever has this 12 or 24 word phrase is the wallet owner. No questions no verification. Just enter the phrase the wallet opens and you can withdraw all your crypto. Thats why SparkCat is so dangerous its directly steals the one thing you have that gives you everything you have.
Which Applications Are Affected and How Does This Malware Infiltrate Them?
Thats the worst part. It does not hide in any suspicious or unknown app. Kaspersky found it embedded in food delivery apps enterprise messaging apps and some other seemingly normal apps. Meaning any of the apps you use every day the ones you have heard of the ones officially published on the store and could contain this malware.
Now the question arises that App Store and Google Play are such big platforms and they have security teams reviews happen then how was this hidden? The answer is that SparkCat used a very smart trick. The malicious code was not inserted directly into the app. It was hidden inside an SDK, which means a development tool that developers use to build apps.
This SDK was named as an analytics module, meaning it was shown as if it only tracks the performance of the app. Security scanners did not notice anything unusual, and it even bypassed the security of the platforms.This SDK on Android had a Java component named Spark hence the name of the entire campaign was SparkCat.
Is IOS Safe or Not? Why This Question Has Become Critically Important
Many people believe that viruses are transmitted on Android while iOS is completely safe. Apple has a closed system and undergoes strict reviews. SparkCat busted this myth.For the first time malware successfully bypassed Apple App Store and hid a stealer.This was a major moment in cybersecurity history.
But one more thing to note in the new 2026 variant the iOS version specifically searches for crypto wallet phrases in English.This means that while the previous variant only targeted users in Asia the new version could affect iOS users living anywhere in the world. Whether you’re in Pakistan, the UK or the US if you have an infected app on your phone and a screenshot of the recovery phrase in your gallery, you’re at risk.
Who Are These People and Where Are They From?
The code analyzed by Kaspersky researchers contained comments and error messages in Chinese. The developers home directory also contained a Chinese name. Therefore, the researchers assess that this campaign is being run by Chinese speaking operators. From February 2025 to April 2026 over a year they continuously upgraded their malware and indicating they were serious and not a one off experiment. They evolved their tools, hid them in new apps, and attacked again.
Another technically interesting thing their malwares communication system is written in the Rust programming language. This is so rare in mobile apps that even researchers were surprised. Normally mobile malware uses simpler languages but Rust means these are technically quite advanced and they deliberately made an unusual choice to make detection more difficult.
How Much Damage Has Been Caused So Far?
In the initial version, dated February 2025 the infected apps had been downloaded more than 242,000 times from Google Play. This is just for Android, iOS aside. That’s a huge number. Every single download was a potential victim. And those with photos of recovery phrases on their phones could lose their crypto without any warning.
What Should You Do Now?
First and foremost delete any screenshots of your crypto wallet recovery phrase from your gallery today. This information should never be stored as a photo. Write it down on paper, keep it in a secure password manager but remove it from your phones gallery. If you are using a similar app thats recently updated or that you’ve given access to photos to, be sure to check it. And if you suspect your wallet has been compromised, immediately create a new wallet, get a new seed phrase and transfer funds but from another and secure device.
The story of SparkCat is a big lesson for all of us. The thinking that if it is downloaded from the official store then it is safe does not work anymore. Malware has become so smart that it can bypass both App Store and Play Store. In the crypto world, you are your own bank and no one will unfreeze your account no one will return your money. Therefore, everything is your responsibility. Consider your recovery password as the most sensitive information, even more sensitive than your bank password. Because the bank password can be changed. Once the recovery password is leaked, everything is lost.
