SparkCat Malware Forensic Analysis

Executive Summary

SparkCat malware is a form of malware which impacts iOS and Android devices. Discovered in late 2024, the malware uses Optical Character Recognition (OCR) technology to scan images for sensitive information such as cryptocurrency wallet recovery phrases. This form of malware is a mobile-specific Trojan Horse and hides itself in seemingly legitimate applications users install and then steals information from there. The best way to protect a phone from this malware is to verify that the software being installed is legitimate as well as having a trusted antivirus app operating on the device. Given that this strain of malware is brand new, users will need to remain extra vigilant as tactics used to spread the virus could evolve past our current understanding. 

Background

SparkCat was a mobile-based Trojan discovered in late 2024, but the malware has existed since at least March 2024. [4] It is believed to have originated from China and mostly targets users in the UAE, Europe and Asia by disguising itself in both legitimate apps and fabricated ones. Telemetry data from Kaspersky reveals that the infected apps have been downloaded from the Google Play app store over 242,000 times. Once the virus is installed, it requests access to view photos in a user’s photo gallery and then proceeds to use its OCR capabilities to scan for keywords concerning recovery phrases for cryptocurrency wallets [4]. To make matters worse, the virus is also capable of detecting keywords from various languages including some of the most commonly spoken ones in Europe, Asia and the UAE. 

Impact

SparkCat is an especially troublesome strain of mobile malware because of the nature of cryptocurrency theft. SparkCat uses an OCR-plugin using the Google ML Kit library to recognize text in stored images, which makes it highly effective for extracting cryptocurrency wallet recovery phrases. It also has the potential to be updated for even greater malicious activity in the future, such as targeting account credentials found within images. Unlike a bank transaction with US dollars, cryptocurrency transactions are irreversible and can’t be recovered unless the recipient agrees to reverse the transaction. Cryptocurrencies are also harder to trace because they are identified by wallet addresses rather than personal information. If a scammer has the wallet address, they effectively own all of your cryptocurrency without any identity verification checks needed to proceed with transactions..These digital currencies are also hosted all around the world, so law enforcement has a harder time to track down the transactions in order to hold cybercriminals accountable [1]. 

Mitigation

SparkCat uses recent technology to perform its data theft, so it’s never been more important for users to stay on top of their cybersecurity hygiene. The first form of mitigation a user can do  is to make sure they’re downloading applications from a trusted source. Using the App Store on iOS or the Google Play store on Android  decreases the risk of installing an illegitimate application . Updating a phone’s operating system provides improved security patches which can detect the malware and prevent its installation before it becomes a threat. Installing a trusted mobile antivirus application such as the F-Secure Total app is another great mitigation against this mobile Trojan. [3] This can detect and quarantine the malware if it happens to be installed. Since this virus has the potential to steal credential information, users should make sure they have passwords of at least 14 characters with mixed capitalization, numbers and symbols for all of their accounts. If a user installs this malware accidentally, they should uninstall the app as soon as possible and update all account passwords, cryptocurrency-related or otherwise.

Relevance

Malware for mobile devices can have significant financial impact. From 2021 to 2023, 83% of malware strains were phone-based, with attacks increasing globally by 8% [5]. Cryptocurrency scams continue to increase in popularity and result in huge financial losses. According to the FBI, their Internet Crime Complaint Center received over 69,000 complaints related to cryptocurrency fraud in 2023. This was a 45% increase from 2022, and also reflected an excess of $5.6 billion in losses [2]. In order to minimize the risk of falling victim to phone-based malware and cryptocurrency-related cybercrime, individuals and corporations alike will need to show scrutiny regarding what software they install on mobile devices.

References

[1] Bank Iowa. (2025, January 27). Crypto Scams: Lucrative, Effective, and Tough to Trace. Bank Iowa. https://www.bankiowa.bank/about-us/front-porch-blog/crypto-scams-lucrative-effective-and-tough-to-trace

[2] Federal Bureau of Investigation. (2024, September 10). 2023 Cryptocurrency Fraud Report Released. FBI. https://www.fbi.gov/news/stories/2023-cryptocurrency-fraud-report-released

[3] F-Secure. (2024, January). 8 Signs Your Phone Has a Virus & What to Do About It. F-Secure. https://www.f-secure.com/us-en/articles/8-signs-your-phone-has-a-virus-what-to-do-about-it

[4] Kaspersky. (2025, February 5). Kaspersky discovers new crypto-stealing Trojan in AppStore and Google Play. Kaspersky. https://www.kaspersky.com/about/press-releases/kaspersky-discovers-new-crypto-stealing-trojan-in-appstore-and-google-play

[5] Statista Research Department. (2024, November). Share of malware targeting mobile devices 2021-2023. Statista. https://www.statista.com/statistics/1449739/malware-targeting-mobile-devices/