A variant of the SparkCat malware disguises itself within legitimate messaging and food delivery applications in Google Play and the App Store. The Android version focuses attacks on Asian users by scanning device galleries with region-specific OCR for local languages, while the iOS variant operates globally to harvest English-language cryptocurrency wallet recovery phrases. Novel obfuscation techniques such as code virtualization complicate reverse engineering. Kaspersky identifies these threats as HEUR:Trojan.AndroidOS.SparkCat, HEUR:Trojan.IphoneOS.SparkCat.
Table of Contents: What awaits you in this article
SparkCat variant exploits compromised enterprise and delivery apps worldwide
The latest SparkCat iteration propagates through legitimate enterprise messaging and food delivery applications available on both Google Play and the App Store. Kaspersky researchers uncovered two infected messenger programs within the App Store and a compromised food delivery application in Google Play. Additionally, the attackers deployed deceptive third-party websites emulating official storefront layouts to lure and trick iPhone users into installing malicious payloads disguised as legitimate updates or app downloads.
SparkCat Android malware employs OCR scanning Asian crypto screenshots
The Android edition of SparkCat autonomously scans photo libraries for screenshots containing targeted keywords in Japanese, Korean, and Chinese. Employing an embedded OCR engine, it isolates images that match specified cryptocurrency-related terms and exfiltrates them to a remote command-and-control server. By focusing on language-specific triggers, the malware avoids irrelevant data harvesting. According to Kasperskys analysis, this tailored screening highlights that its operational objective is compromising crypto-wallet users across Asian markets.
iOS SparkCat Malware Hunts English Crypto-Wallet Recovery Phrases Globally
This iOS iteration scans devices worldwide for English-language crypto wallet recovery phrases, enabling attackers to exfiltrate critical seed words. Leveraging cross-platform development frameworks, the malware adapts seamlessly to numerous iPhone models and firmware versions, bypassing compatibility constraints. The unified codebase facilitates deployment of updates and targeted strategies, significantly broadening the potential victim pool. Security analysts warn that this flexible architecture raises the stakes for user vigilance and mobile threat defenses.
New SparkCat malware uses code virtualization to evade analysis
The latest SparkCat variant leverages concealment layers such as code virtualization and cross-platform programming to bypass static and dynamic analysis. It abstracts execution logic into emulated segments, evading signature-based detection and enabling adaptable runtime behavior across diverse mobile platforms. Employing multi-target languages reduces identifiable code structures, complicating reverse engineering. These sophisticated techniques, rare in mobile malware, underscore the developers skill level and represent an evolution in stealth strategies for malware.
Kaspersky alerts Google and Apple, SparkCat code promptly removed
Kaspersky notified Google and Apple of compromised applications, prompting removal of malicious code from their stores. Signatures HEUR:Trojan.AndroidOS.SparkCat and HEUR:Trojan.IphoneOS.SparkCat reliably detect this threat. To mitigate risk, users must uninstall affected apps immediately, audit permissions, and store sensitive data, such as cryptocurrency wallet recovery phrases, exclusively in encrypted password managers like Kaspersky Password Manager. Using a robust mobile security solution, such as Kaspersky Premium, ensures comprehensive protection against evolving malware.
SparkCat leverages advanced obfuscation techniques, using multi-layered transformations and virtualization to conceal malicious routines from static and dynamic analysis. Its cross-platform codebase enables rapid deployment on Android and iOS devices, and an integrated OCR module scans stored screenshots for valuable information. This modular design simplifies feature updates and facilitates region-specific targeting, enabling attackers to adapt quickly to changing requirements. These combined capabilities position SparkCat as a cutting-edge mobile malware framework.
