SparkCat Malware: A New Threat Stealing Crypto Wallets – Are You Protected?

Raluca Gheorghita
In a digital era where cryptocurrencies are becoming increasingly popular, cyber attackers are intensifying their efforts to compromise unprotected users. The latest example is SparkCat, a sophisticated malware that utilizes optical character recognition (OCR) to steal recovery phrases of crypto wallets. This attack raises a crucial question for users and companies involved in the crypto ecosystem: Is your security prepared to withstand these threats?

What is SparkCat and how does it work?


SparkCat is not an ordinary malware. It spreads through fake applications available on trusted platforms like Google Play and App Store, tricking users into installing them. Once activated, the malware scans images stored on the victim’s device and uses OCR technology to identify and extract recovery phrases of crypto wallets.
These mnemonic phrases are essential for accessing crypto funds. Once compromised, attackers can transfer and sell the funds, leaving the victim with no chance of recovery.


This malware campaign has been active since March 2024 and has spread through both official and unofficial app stores. The infected applications masquerade as artificial intelligence (AI), food delivery, and Web3 apps, some of which offer seemingly legitimate functionality.

A notable feature of SparkCat is its use of Rust-based communication for command-and-control (C2) interactions, a rarity in mobile malware. Additionally, it has been found that the campaign primarily targets users in Europe and Asia, with evidence suggesting that the threat actors behind the campaign are fluent in Chinese.
Why is this attack extremely dangerous?
  1. Advanced text recognition technology – Most users don’t imagine that images in their gallery can be scanned to extract sensitive information.
  2. Distribution through legitimate applications – SparkCat reaches devices through seemingly harmless apps available in official app stores.
  3. Devastating financial impact – Once the recovery phrase is compromised, lost funds are irrecoverable.
  4. Global targeting – SparkCat can affect both individual users and companies managing or investing in cryptocurrencies.
  5. Persistence and adaptability – Attackers constantly improve this method, hiding the malware in new applications and exploiting advanced technologies to avoid detection.
  6. Difficult detection – The permissions requested by infected apps appear legitimate, making it hard for users to identify malicious intent.

Other Emerging Mobile Malware Threats


The disclosure of SparkCat comes amid an increasing wave of mobile malware attacks, including a separate banking Trojan campaign discovered by Zimperium zLabs. This campaign, targeting Indian Android device users, distributes malicious APKs through WhatsApp, masquerading as banking and government applications.
Unlike conventional banking Trojans, this campaign leverages hard-coded phone numbers to exfiltrate SMS messages and OTPs, allowing attackers to hijack online banking accounts. Over 50,000 users have already been affected, with 2.5GB of sensitive financial data leaked online.
Meanwhile, researchers have also detected 24 new macOS malware families in 2024, up from 21 in 2023, highlighting a rise in info-stealer campaigns. Attackers increasingly exploit Apple’s native AppleScript framework to deceive users via social engineering and execute malicious actions.

How can you protect yourself against SparkCat?


A passive response is not enough – you need to implement proactive measures to prevent an attack before it’s too late.

:closed_lock_with_key:Essential services for protection against SparkCat and other cyber threats:
:white_check_mark: Penetration Testing – We simulate real-world attacks on your systems to identify vulnerabilities before hackers do.
:white_check_mark:Advanced Mobile Device Security – We secure your smartphone and applications against hidden malware and cyber threats.
:white_check_mark:Cyber Intelligence & Monitoring – We provide advanced monitoring to quickly detect emerging threats and prevent attacks before they materialize.
:white_check_mark:Zero Trust Security Implementation – We limit access to critical data, ensuring that even in the event of a breach, attackers cannot access sensitive information.
:white_check_mark:Vulnerability Management & Risk-Based Patching – We ensure an efficient vulnerability remediation process to prevent exploitation.

Don’t wait to become the next victim! SparkCat is just one example of how attackers evolve and use advanced technologies to achieve their goals. Don’t wait for an attack to expose your vulnerabilities – take action now!

:telephone_receiver: Contact us to find out how we can protect your business and digital assets from the latest cyber threats.

You should also read:

Hack & Fix

GitHub Supply Chain Attacks, APT Espionage, and Zero-Day Threats: A Wake-Up Call for Organizations

The cybersecurity developments highlight a growing trend: threat actors are becoming more sophisticated, targeting software supply chains, exploiting unpatched vulnerabilities, and leveraging advanced persistent threats (APTs) for espionage. Cybercriminals exploited GitHub repositories to distribute malicious code and compromise downstream users. These attacks typically involve injecting…

Continue reading...