cybersecurity researchers have identified a new variant of the SparkCat malware infiltrating both the Apple App Store and Google Play Store. This discovery comes over a year after the trojan was first observed targeting mobile operating systems. The malicious software hides within seemingly legitimate applications to steal images containing cryptocurrency wallet recovery phrases.

Malware Concealed in Everyday Apps

The latest iteration of the SparkCat malware has been found embedded within applications that appear benign to users. These include software masquerading as enterprise messaging tools and food delivery services. Once installed, the malware operates covertly, scanning the device for specific types of image files.

Its primary function is to locate and exfiltrate photographs or screenshots that contain the recovery seed phrases for cryptocurrency wallets. These phrases, typically a series of 12 or 24 words, are used to restore access to a digital asset wallet if a device is lost or compromised. The theft of such a phrase grants an attacker complete control over the associated cryptocurrency funds.

Continued Threat to Major app stores

The presence of this evolved malware on both official app marketplaces highlights ongoing challenges in mobile application security. Despite rigorous review processes, malicious actors continue to find methods to bypass checks and distribute harmful code to a wide audience. The cross-platform nature of the threat, affecting both iOS and Android devices, significantly expands its potential impact.

Security analysts note that the malware’s persistence and adaptation over more than a year demonstrate a sustained development effort by its creators. The focus on cryptocurrency assets aligns with broader trends in cybercrime, where digital currencies are a high-value target due to their irreversible transaction nature.

Protection and Recommended Actions

Security experts universally advise against digitally storing or photographing cryptocurrency recovery phrases. The safest practice is to write the phrase on a durable, physical medium and store it in a secure location, completely disconnected from any internet-connected device.

Users are urged to exercise heightened caution when downloading applications, even from official stores. Checking developer reputations, reading recent reviews carefully, and being wary of applications requesting excessive permissions are standard defensive measures. Furthermore, maintaining updated device operating systems and security software is critical.

Ongoing Investigations and Next Steps

Researchers are continuing to analyze the new SparkCat variant to understand its full capabilities and infection vectors. The findings have been shared with both Apple and Google, prompting investigations into the specific apps involved and the methods used to circumvent store security.

In the coming weeks, security firms are expected to release more detailed indicators of compromise and detection rules. Official communications from the app store operators regarding the removal of the identified malicious apps and any broader security updates are anticipated. This incident is likely to lead to renewed scrutiny of app vetting processes and increased warnings to users about the risks of storing sensitive financial information digitally.

Source: Adapted from cybersecurity research reports.