New SparkCat Malware Variant Targets Crypto Wallet Recovery Phrases on Mobile Devices
AI-generated from multiple sources. Verify before acting on this reporting.
A new variant of the SparkCat malware has been identified in iOS and Android applications, designed to steal cryptocurrency wallet recovery phrase images from users' devices. The discovery marks a significant escalation in mobile-targeted cyberattacks, as the malicious software specifically seeks out sensitive authentication data stored as screenshots or gallery images.
The malware, which operates on both major mobile operating systems, infiltrates applications to access the device's photo gallery and file storage. Once inside, it scans for images containing recovery phrases, which are typically 12 to 24-word sequences used to restore access to digital wallets. These phrases are often saved as images by users for backup purposes, making them a prime target for attackers seeking unauthorized access to cryptocurrency holdings.
Security researchers identified the new variant on April 3, 2026, noting that it employs advanced obfuscation techniques to evade detection by standard mobile security software. Unlike previous iterations of SparkCat, which primarily targeted desktop systems, this version has been adapted to exploit vulnerabilities in mobile app permissions and storage access protocols.
The attack vector involves tricking users into downloading compromised applications or updates that appear legitimate. Once installed, the malware requests access to the device's media library under the guise of functionality improvements or feature enhancements. Users who grant these permissions unknowingly expose their stored recovery phrases to the malicious code.
No specific geographic location or targeted group has been identified in connection with the deployment of this variant. The malware's distribution method remains unclear, though it appears to be spreading through third-party app stores and unofficial download channels. Authorities have not yet attributed the attack to any known criminal organization or state-sponsored actor.
The financial impact of the breach remains unknown, as many victims may not immediately discover the theft of their recovery phrases. Unlike traditional password theft, the compromise of a recovery phrase grants attackers complete control over the associated wallet, allowing them to transfer funds without triggering immediate alerts.
Mobile device manufacturers and app store operators have not issued official statements regarding the threat. However, security experts recommend that users avoid saving recovery phrases as images and instead use encrypted password managers or hardware wallets for storage. They also advise reviewing app permissions regularly and removing any applications that request unnecessary access to media files.
The emergence of this variant raises questions about the security practices of mobile app developers and the effectiveness of current mobile security measures. As cryptocurrency adoption continues to grow, attackers are increasingly focusing on mobile platforms where users often store valuable digital assets. The incident underscores the need for enhanced security protocols and user education to prevent future breaches.
Investigation into the origin and scope of the SparkCat variant continues. Authorities are monitoring the situation for further developments and potential links to other cyberattacks. Users are urged to remain vigilant and take immediate steps to secure their digital wallets.