New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images

The SparkCat malware just evolved. A new variant has been spotted in three apps across iOS and Android app stores, and it's got one mission: steal your crypto wallet recovery phrases by scanning images on your device. This isn't just keylogging — it's optical character recognition (OCR) turned against you.

Discovered by Kaspersky's Threat Intelligence team, this malware variant scans device storage for images containing seed phrases or private keys, extracts the text via OCR, and exfiltrates it to a remote server. If you've ever taken a screenshot of your recovery phrase (you know who you are), you're a target.

The three malicious apps — disguised as legitimate tools — have already been downloaded thousands of times globally. Once installed, they request broad permissions to access photos, media, and files, then run silent background scans. No app names were disclosed in the source, but Kaspersky confirmed they've been removed from official stores.

This marks a significant escalation in mobile crypto theft. Previous SparkCat variants focused on clipboard hijacking or fake wallet apps. Now, it's hunting visual data — a reminder that even 'offline' backups aren't safe if they're digital.

Kaspersky advises users to avoid storing recovery phrases as images, regularly audit app permissions, and use hardware wallets for high-value crypto holdings. The researchers also noted that this variant uses more sophisticated evasion techniques, making detection harder for standard security software.

The broader implication? Mobile malware is getting creepily creative. If you're into crypto, treat your phone like a vault — because threat actors definitely are.