Kaspersky has uncovered a new variant of the SparkCat Trojan that has managed to bypass security checks on both the App Store and Google Play, raising fresh concerns over mobile cybersecurity risks.
The cybersecurity firm said the updated malware, first identified a year ago, has resurfaced through seemingly legitimate applications, including enterprise messaging platforms and a food delivery app. While the malicious code has since been removed, the incident highlights persistent vulnerabilities even within official app ecosystems.
According to Kaspersky Threat Research, the Trojan operates by requesting access to users’ photo galleries and scanning images for cryptocurrency wallet recovery phrases. Once identified, the data is transmitted to attackers, potentially enabling them to gain access to users’ digital assets.
The Android version of the malware targets screenshots containing keywords in Japanese, Korean and Chinese, suggesting a focus on users in Asia. In contrast, the iOS variant scans for English-language mnemonic phrases, broadening its potential reach across global users.
Kaspersky noted that the latest SparkCat iteration employs advanced obfuscation techniques, including code virtualisation and cross-platform programming — methods rarely seen in mobile malware. These enhancements allow it to evade detection and pass app store review processes.
Kaspersky has reported the affected applications to Apple and Google, and urged users to exercise caution when downloading apps, even from official sources, while avoiding storing sensitive information such as wallet seed phrases in photo galleries.
