Full Report
Cybersecurity researchers have discovered a new version of the SparkCat malware on the Apple App Store and Google Play Store, more than a year after the trojan was discovered targeting both the mobile operating systems. The malware has been found to conceal itself within seemingly benign apps, such as enterprise messengers and food delivery services, while
Analysis Summary
# Tool/Technique: SparkCat
## Overview
SparkCat is a sophisticated cross-platform Trojan targeting mobile devices to steal cryptocurrency. It masquerades as legitimate applications—such as enterprise messaging tools and food delivery services—to gain access to the device's photo gallery. Once authorized, it uses Optical Character Recognition (OCR) to identify and exfiltrate images containing cryptocurrency wallet recovery (mnemonic) phrases.
## Technical Details
- **Type:** Malware family (Trojan/Infostealer)
- **Platform:** iOS and Android
- **Capabilities:** Media library access, local OCR processing, credential theft, code obfuscation, and data exfiltration.
- **First Seen:** February 2025 (Initial version); April 2026 (Updated variant).
## MITRE ATT&CK Mapping
- **[TA0029 - Discovery]**
- [T1418 - Software Discovery]
- [T1645 - Local Email and Content Search]
- **[TA0032 - Collection]**
- [T1430 - Location Tracking / Media Acquisition]
- [T1512 - Data from Local System]
- **[TA0034 - Exfiltration]**
- [T1041 - Exfiltration Over C2 Channel]
- **[TA0031 - Defense Evasion]**
- [T1406 - Obfuscated Files or Information]
- [T1635.002 - Code Virtualization]
## Functionality
### Core Capabilities
- **OCR-Based Stealing:** Uses an integrated Optical Character Recognition model to scan images for specific text patterns related to crypto recovery phrases.
- **Image Exfiltration:** Automatically uploads identified images containing sensitive keywords to attacker-controlled C2 servers.
- **Social Engineering:** Impersonates benign enterprise or utility apps to trick users into granting "Photos" permissions.
### Advanced Features
- **Multi-Language Support:** The Android variant targets Asian markets by scanning for Japanese, Korean, and Chinese keywords.
- **Broad Broad Reach (iOS):** The iOS variant specifically targets English-language mnemonic phrases, allowing for global applicability.
- **Anti-Analysis Techniques:** Employs code virtualization and cross-platform programming languages to complicate reverse engineering and detection.
- **Multi-Layered Obfuscation:** The 2026 variant introduced increased complexity to sidestep automated security scanners in official app stores.
## Indicators of Compromise
- **File Hashes:** [Not provided in source text]
- **File Names:** Disguised as enterprise messengers and food delivery apps.
- **Registry Keys:** N/A (Mobile platforms)
- **Network Indicators:**
- Attacker-controlled exfiltration servers (specific domains/IPs not provided in source).
- C2 communication via standard HTTPS.
- **Behavioral Indicators:**
- Requests for "Full Access" to photo galleries by apps that do not require such functionality (e.g., enterprise tools).
- High CPU usage during background OCR processing.
## Associated Threat Actors
- **Chinese-speaking operator:** Initial assessment based on language patterns and targeting (unnamed specifically in source).
## Detection Methods
- **Signature-based detection:** Modern mobile security solutions (e.g., Kaspersky) identified the 2026 variant using updated signatures.
- **Behavioral detection:** Monitoring for apps performing intensive background processing of media files or unauthorized exfiltration of image data.
- **Static Analysis:** Identifying "code virtualization" markers or the presence of OCR libraries in enterprise-focused application binaries.
## Mitigation Strategies
- **Least Privilege:** Users should deny photo gallery access to applications that do not strictly require it for their primary function.
- **Device Security:** Install reputable mobile EDR/security software to scan for known malicious signatures and suspicious behaviors.
- **Credential Hygiene:** Avoid storing screenshots or photos of cryptocurrency recovery phrases in mobile galleries; use encrypted password managers or physical "cold" storage.
- **App Provenance:** Exercise caution even with official stores (App Store/Google Play), ensuring apps are from verified and reputable developers.
## Related Tools/Techniques
- **OCR-based Stealers:** Similar to desktop-based malware that captures screenshots of crypto-wallets.
- **Cross-Platform Frameworks:** Use of technologies like Flutter or React Native to deploy a single codebase across iOS and Android.