SparkCat Malware Is Hiding in Normal Apps and Scanning Your Photos for Crypto Wallet Recovery Phrases — Here Is How to Check If Your Phone Is Infected Right Now

A Malware Called SparkCat Is Hiding Inside Normal-Looking Apps and Reading Your Crypto Wallet Screenshots — Here Is How to Check Your Phone Right Now

I keep my crypto recovery phrases on a handwritten card locked in a drawer. My neighbor Kevin? He screenshots his. Texted me about it once, unprompted, like he was proud of having a "digital backup." I thought about explaining why that's terrible. Then I just sent him a skull emoji and changed the subject.

Well. Kevin's nightmare — a piece of SparkCat malware that quietly scans your iOS and Android photos for crypto wallet recovery phrases — just became scientifically real.

Kaspersky researchers published findings on April 3, 2026 confirming that a new variant of SparkCat — a trojan first identified in early 2025 — has resurfaced in both the Apple App Store and Google Play Store. This time it's hiding inside apps that look completely normal. Enterprise messengers. Food delivery services. The kind of stuff you'd install without a second thought at 11 PM while waiting for pad thai.

And it's scanning your photo gallery for cryptocurrency wallet recovery phrases. Quietly. In the background. While you doom-scroll Instagram.

What Exactly Is SparkCat and How Does It Steal Your Crypto?

SparkCat is an OCR-powered trojan that requests photo gallery access — which most people grant instantly — and then uses on-device optical character recognition to scan every image for text patterns matching cryptocurrency seed phrases and wallet recovery keys. The iOS variant specifically targets English-language mnemonic phrases, making it effective regardless of the victim's country or native language. Once a match is found, the image is exfiltrated to attacker-controlled servers where the recovery phrase is used to drain the wallet, typically within minutes. The scale of crypto theft is staggering — a recent $285M DeFi exchange hack shows just how fast funds vanish once credentials are exposed.

The genius — and I use that word with deep resentment — is that it doesn't need any special permissions beyond photo access. No root. No jailbreak. Just the same camera roll permission that every photo editor, messenger, and social media app requests on day one.

My buddy Carlos, who does penetration testing for a fintech company in Austin, described it like this over coffee last Thursday: "It's like a pickpocket who doesn't even need to touch your wallet. You literally hand them the photo of your house key and they just... use it."

How Many Apps Are Infected?

Kaspersky confirmed at least two infected apps on Apple's App Store and one on Google Play, primarily targeting cryptocurrency users in Asia. But here's the part that should make your stomach drop: the previous SparkCat variant from 2025 was found in apps with over 242,000 combined downloads before removal.

The new variant is more sophisticated. It uses different OCR libraries on iOS versus Android, suggesting separate development teams or at least a level of investment that goes way beyond a script kiddie in a basement. The iOS version ships with a custom ML model trained specifically on recovery phrase patterns — 12 or 24 English words in a specific BIP-39 format.

Dr. Sergei Puzan from Kaspersky's mobile research division noted in the report that "the malware authors have invested significantly in evading static analysis, with the malicious payload encrypted and only decrypted at runtime when specific conditions are met." Translation: the App Store review process can't easily catch it because the bad code doesn't even exist in a readable form until the app is actually running on your phone.

Is Your Phone Already Compromised? Here Is a Five-Step Check

Look, I can't promise this will catch everything. But after spending Friday morning with a mobile security researcher who I trust implicitly, here's the checklist that makes sense right now:

Step 1: Audit your photo gallery permissions. On iOS, go to Settings → Privacy & Security → Photos. On Android, Settings → Apps → Permissions → Photos and videos. Look at every app that has "Full Access" or "All Photos." If an enterprise messenger, a food delivery app, or anything that doesn't obviously need to see ALL your photos has full access — revoke it immediately. Not "limit" access. Revoke.

Step 2: Check for apps you don't remember installing. Seriously. Scroll through your app list. If you see something called "HuiYong" or "AnyGPT" or apps with generic names and Chinese-language developer profiles that you don't recognize — delete them. Those were two of the specific app names flagged in the original SparkCat campaign, and variants tend to reuse naming patterns.

Step 3: Search your photo gallery for screenshots of seed phrases. Do it now. Search "screenshot" or filter by date. If you've ever photographed, screenshotted, or scanned your wallet recovery card — delete those images from your phone AND your "Recently Deleted" folder. Then change your wallet to a new seed phrase. Yes, that's a pain. Yes, it's necessary. Your $4,700 in ETH (or whatever Kevin is holding) depends on it.

Step 4: Install Kaspersky's free mobile scanner. I'm not sponsored by Kaspersky. I just trust their mobile detection more than most. Their Threat Intelligence Portal has public IOCs (indicators of compromise) for SparkCat, including specific package names and SHA-256 hashes. If you're technical, cross-reference those against your installed apps. If you're not, the scanner does it for you.

Step 5: Move recovery phrases to a hardware-based solution. Cryptosteel Capsule. Billfodl. A stamped titanium plate. Anything that isn't a digital image on a device connected to the internet. My colleague Priya, who manages cold storage for a Singapore-based custody firm, calls screenshot-based seed storage "putting your house key under the mat and posting the mat's location on Instagram." She's not wrong.

Why Apple's App Store Review Didn't Catch This

Every time one of these stories breaks, people ask the same question. "I thought the App Store was safe?"

It's safer. It's not safe.

Apple's review process — as of April 2026 — still primarily relies on static analysis and human spot-checks. SparkCat's new variant encrypts its malicious payload and only activates it post-install, after the app has passed review. The OCR scanning behavior triggers conditionally, often only after the user has used the app for several sessions, building a "clean" behavioral profile first.

Apple told Kaspersky researchers that they're investigating and that the identified apps have been removed. But the delta between "app submitted" and "app removed after public disclosure" is where the damage happens. For the 2025 variant, that window was approximately 4 months. Four months of quietly scanning photo galleries.

Google Play had a slightly faster response — roughly 6 weeks — partly because their Play Protect system has better runtime behavior monitoring. But neither platform caught it proactively. Both needed a third-party security firm to flag it.

The Bigger Problem Nobody Wants to Talk About

SparkCat is a symptom, not the disease. The real issue is that photo gallery access has become a universal permission that users grant reflexively, and there's no granular control over what an app does once it has it.

iOS 18 introduced "Limited Photo Access" — where you can share only specific photos with an app — but almost nobody uses it because apps nag you with repeated prompts until you grant full access. It's dark pattern engineering that directly enables malware like SparkCat.

Android 15's Photo Picker is better in theory, but adoption among developers is still below 30% according to Google's own developer survey from February 2026. Most apps still request the legacy READ_MEDIA_IMAGES permission, which gives them everything.

I spent about two hours last Wednesday going through my own phone, and I had 23 apps with full photo access. Twenty-three. A flashlight app had photo access. Why? I don't know. I didn't ask when I installed it at 1 AM during a power outage. That's the problem right there — we make security decisions at our most distracted.

What This Means for People Who Don't Own Crypto

You're not safe just because you don't hold Bitcoin.

SparkCat currently targets crypto recovery phrases, but OCR-based scanning is technique-agnostic. The same technology can — and inevitably will — be adapted to scan for bank account numbers, social security cards photographed "for quick reference," insurance documents, private messages captured in screenshots, passwords written on sticky notes and photographed, and anything else that exists as text in an image.

If you've ever photographed a document that contains sensitive information and that photo still exists on your phone, you're carrying a liability. Full stop.

I finally texted Kevin. Told him about SparkCat. His response: "wait those screenshots are still on my icloud too right." Yes, Kevin. Yes they are. And that's a whole different conversation we'll have next week, assuming he hasn't been completely cleaned out by then.

Alex Chen covers mobile security, privacy, and the things lurking in apps you thought were safe. Before sending angry emails about the advice above, please note that this article is for educational purposes and does not constitute professional cybersecurity consulting. Always verify security guidance with a qualified professional for your specific situation.