New SparkCat Variant Targets iOS and Android Users, Stealing Crypto Wallet Recovery Phrases
Executive Summary
In April 2026, cybersecurity researchers identified a new variant of the SparkCat malware infiltrating both the Apple App Store and Google Play Store. This sophisticated malware masquerades as legitimate applications, such as enterprise messengers and food delivery services, to gain access to users' photo galleries. Once installed, it employs optical character recognition (OCR) technology to scan images for cryptocurrency wallet recovery phrases, subsequently exfiltrating this sensitive information to attacker-controlled servers. The malware's advanced obfuscation techniques and cross-platform capabilities underscore the evolving threat landscape targeting mobile users.
The resurgence of SparkCat highlights a concerning trend in mobile malware development, emphasizing the need for heightened vigilance among users and app store operators. The ability of such malware to bypass official app store security measures and target sensitive financial information calls for enhanced detection mechanisms and user education to mitigate potential risks.
Why This Matters Now
The emergence of this new SparkCat variant underscores the increasing sophistication of mobile malware and its potential to compromise sensitive financial data. Users must exercise caution when downloading apps, even from official stores, and remain vigilant about granting permissions to access personal information.
Attack Path Analysis
The SparkCat malware infiltrated mobile devices through seemingly benign apps, gaining access to users' photo galleries. It escalated privileges by requesting permissions to view and analyze stored images. The malware then scanned these images for cryptocurrency wallet recovery phrases, moving laterally within the device to access sensitive data. Upon identifying relevant information, it established command and control by transmitting the data to attacker-controlled servers. The exfiltrated data enabled attackers to access victims' cryptocurrency wallets, leading to financial theft. The impact was significant, resulting in unauthorized access to and theft from users' cryptocurrency accounts.
Kill Chain Progression
Initial Compromise
Description
The SparkCat malware infiltrated mobile devices through seemingly benign apps, such as enterprise messengers and food delivery services, available on official app stores.
MITRE ATT&CK® Techniques
Malicious or Vulnerable Application
Access Sensitive Data in Device Logs
Access Sensitive Data in Device Backups
Access Sensitive Data in Device Storage
Access Sensitive Data in Device Memory
Access Sensitive Data in Device Sensors
Access Sensitive Data in Device Network Traffic
Access Sensitive Data in Device Applications
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
SparkCat mobile malware targeting crypto wallet recovery phrases poses critical risk to financial institutions' digital asset custody and mobile banking applications.
Financial Services
Mobile malware infiltrating app stores threatens financial service providers' customer data through compromised enterprise messenger apps and cryptocurrency wallet theft.
Computer Software/Engineering
Software companies face supply chain risks as SparkCat variants bypass app store security, requiring enhanced mobile application security and code integrity measures.
Telecommunications
Mobile network operators must address encrypted traffic monitoring gaps and implement zero trust segmentation to prevent lateral movement from compromised mobile devices.
Sources
- New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Imageshttps://thehackernews.com/2026/04/new-sparkcat-variant-in-ios-android.htmlVerified
- Kaspersky discovers new crypto-stealing Trojan in AppStore and Google Playhttps://www.kaspersky.com/about/press-releases/kaspersky-discovers-new-crypto-stealing-trojan-in-appstore-and-google-playVerified
- Malicious apps on Android and iOS scan screenshots to steal cryptocurrencieshttps://www.techspot.com/news/106665-malicious-apps-android-ios-scan-screenshots-steal-cryptocurrencies.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the malware's ability to escalate privileges, move laterally, and exfiltrate sensitive data, thereby reducing the attack's overall impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The malware's initial infiltration via seemingly benign apps could have been constrained, reducing the likelihood of successful device compromise.
Control: Zero Trust Segmentation
Mitigation: The malware's ability to escalate privileges and access sensitive data could have been limited, reducing the scope of potential data exposure.
Control: East-West Traffic Security
Mitigation: The malware's ability to move laterally within the device to scan for sensitive information could have been constrained, reducing the risk of internal data compromise.
Control: Multicloud Visibility & Control
Mitigation: The malware's ability to establish command and control channels could have been limited, reducing the risk of data exfiltration.
Control: Egress Security & Policy Enforcement
Mitigation: The malware's ability to exfiltrate sensitive data could have been constrained, reducing the likelihood of financial theft.
The overall impact of unauthorized access and financial theft could have been reduced, limiting the extent of the attack's success.
Impact at a Glance
Affected Business Functions
- Cryptocurrency Wallet Management
- Mobile Application Security
- User Data Privacy
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of cryptocurrency wallet recovery phrases and other sensitive information stored in users' photo galleries.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict app permissions and limit access to sensitive data.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unauthorized data access attempts.
- • Enforce Egress Security & Policy Enforcement to monitor and control data exfiltration activities.
- • Apply Multicloud Visibility & Control to gain comprehensive insights into data flows and detect anomalies.
- • Educate users on the risks of granting unnecessary app permissions and the importance of securing sensitive information.
