SparkCat Infostealer Resurfaces in App Store and Play Store with Advanced Obfuscation
Cybersecurity researchers at Kaspersky have identified a resurgence of SparkCat, a mobile-focused infostealer targeting cryptocurrency seed phrases, hidden within apps on both the Apple App Store and Google Play Store. Despite rigorous vetting processes by Apple and Google, threat actors successfully distributed the malware through seemingly legitimate apps, including enterprise messengers and food delivery services.
First detected in 2025, SparkCat initially targeted Asian users by scanning for Japanese, Korean, and Chinese keywords in seed phrases 12- or 24-word recovery phrases used to restore cryptocurrency wallets. The malware employed Optical Character Recognition (OCR) to extract seed phrases from photos and screenshots, a tactic that previously drew attention for its sophistication.
The latest version introduces new obfuscation techniques, including code virtualization and cross-platform languages, making detection significantly harder. While the Android variant continues to focus on Asian languages, the iOS version now targets English mnemonics, expanding its reach to Western users.
Kaspersky reported the findings to Apple and Google, leading to the removal of some malicious apps. However, the incident highlights ongoing challenges in securing official app marketplaces against evolving malware threats.
Google Play business community cybersecurity rating report: https://www.rankiteo.com/company/googleplaybiz
AppleInsider cybersecurity rating report: https://www.rankiteo.com/company/appleinsider
"id": "GOOAPP1775500447",
"linkid": "googleplaybiz, appleinsider",
"type": "Cyber Attack",
"date": "1/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'iOS users (primarily '
'English-speaking in latest '
'version)',
'industry': 'Technology',
'location': 'Global',
'name': 'Apple App Store',
'size': 'Large',
'type': 'App marketplace'},
{'customers_affected': 'Android users (primarily '
'Asian-language speakers)',
'industry': 'Technology',
'location': 'Global',
'name': 'Google Play Store',
'size': 'Large',
'type': 'App marketplace'},
{'customers_affected': 'Users of malicious apps '
'(enterprise messengers, food '
'delivery services)',
'location': ['Asia (Japan, Korea, China)',
'Western countries (English-speaking '
'users)'],
'type': 'End users'}],
'attack_vector': 'Malicious apps distributed via official app marketplaces '
'(Apple App Store and Google Play Store)',
'customer_advisories': 'Users of enterprise messengers and food delivery apps '
'on iOS/Android urged to check for malicious apps and '
'avoid storing seed phrases in photos/screenshots.',
'data_breach': {'data_exfiltration': 'Yes (via OCR extraction from '
'photos/screenshots)',
'file_types_exposed': ['Images (photos/screenshots containing '
'seed phrases)'],
'personally_identifiable_information': 'Cryptocurrency wallet '
'recovery phrases '
'(indirectly linked to '
'financial assets)',
'sensitivity_of_data': 'High (direct access to cryptocurrency '
'wallets)',
'type_of_data_compromised': 'Cryptocurrency seed phrases'},
'date_detected': '2025',
'description': 'Cybersecurity researchers at Kaspersky have identified a '
'resurgence of SparkCat, a mobile-focused infostealer '
'targeting cryptocurrency seed phrases, hidden within apps on '
'both the Apple App Store and Google Play Store. The malware '
'was distributed through seemingly legitimate apps, including '
'enterprise messengers and food delivery services, and employs '
'advanced obfuscation techniques like code virtualization and '
'cross-platform languages.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to Apple '
'and Google due to distribution via '
'official app stores',
'data_compromised': 'Cryptocurrency seed phrases (12- or 24-word '
'recovery phrases)',
'identity_theft_risk': 'High (risk of cryptocurrency wallet '
'compromise and financial theft)',
'systems_affected': ['Mobile devices (iOS and Android)']},
'initial_access_broker': {'entry_point': 'Official app marketplaces (Apple '
'App Store, Google Play Store)',
'high_value_targets': 'Cryptocurrency users (seed '
'phrase holders)'},
'investigation_status': 'Ongoing (malicious apps removed, but threat actor '
'activity may persist)',
'lessons_learned': 'Official app marketplaces remain vulnerable to '
'sophisticated malware despite vetting processes. Advanced '
'obfuscation techniques (e.g., code virtualization) can '
'evade detection. Cross-platform malware targeting both '
'iOS and Android is an emerging threat.',
'motivation': 'Financial gain (theft of cryptocurrency seed phrases)',
'post_incident_analysis': {'corrective_actions': ['Improve app review '
'processes to detect code '
'virtualization and '
'cross-platform malware.',
'Collaborate with '
'cybersecurity firms to '
'identify emerging threats.',
'Enhance user education on '
'secure cryptocurrency seed '
'phrase storage.'],
'root_causes': ['Insufficient detection of '
'advanced obfuscation techniques '
'in app vetting processes.',
'Exploitation of legitimate app '
'functionalities (e.g., OCR) for '
'malicious purposes.',
'Cross-platform malware '
'development targeting both iOS '
'and Android.']},
'recommendations': ['Enhance app vetting processes for both Apple App Store '
'and Google Play Store to detect advanced obfuscation '
'techniques.',
'Implement stricter monitoring for apps targeting '
'cryptocurrency-related functionalities.',
'Educate users on the risks of storing seed phrases in '
'unsecured formats (e.g., photos/screenshots).',
'Develop tools to detect OCR-based data extraction '
'malware on mobile devices.'],
'references': [{'source': 'Kaspersky'}],
'response': {'containment_measures': 'Malicious apps removed from Apple App '
'Store and Google Play Store',
'third_party_assistance': 'Kaspersky (cybersecurity '
'researchers)'},
'stakeholder_advisories': 'Apple and Google notified; users advised to '
'uninstall suspicious apps and monitor '
'cryptocurrency wallets.',
'title': 'SparkCat Infostealer Resurfaces in App Store and Play Store with '
'Advanced Obfuscation',
'type': 'Infostealer Malware'}