NextFin News - Cybersecurity researchers at Kaspersky have identified a sophisticated new variant of the SparkCat Trojan that successfully bypassed the rigorous vetting processes of both Apple’s App Store and Google Play. The discovery, made in early April 2026, reveals that the malware has evolved to target cryptocurrency assets by scanning user device galleries for sensitive financial information. This resurgence comes exactly one year after the original SparkCat strain was purportedly eradicated from major mobile platforms, signaling a persistent and adaptive threat to mobile financial security.
The infected applications, which included messaging tools designed for corporate communication and food delivery services, were found to be legitimate programs compromised by the Trojan. According to Dmitry Kalinin, a cybersecurity expert at Kaspersky, the Android version of the malware utilizes an optical character recognition (OCR) module to analyze text within screenshots. If the system identifies keywords related to cryptocurrency wallets or recovery phrases, it immediately exfiltrates the image to a remote server controlled by the attackers. While the Android variant appears specifically tailored for Asian markets—using Japanese, Korean, and Chinese language recognition—the iOS version takes a broader approach by scanning for English-language mnemonic phrases, potentially exposing a global user base to asset theft.
Kalinin, who has a long-standing track record of tracking mobile-based financial threats, noted that the latest iteration of SparkCat employs advanced obfuscation techniques rarely seen in mobile malware. These include code virtualization and the use of cross-platform programming languages, which effectively mask the malicious intent from automated security scanners. Kalinin’s assessment suggests that the developer of this variant is likely the same individual or group behind the 2025 outbreak, indicating a dedicated effort to refine the Trojan’s stealth capabilities. However, it is important to note that Kaspersky’s findings represent a specific telemetry set; while the threat is verified, the total number of infected devices remains difficult to quantify without broader data from mobile operating system providers.
The breach of the App Store is particularly notable given Apple’s historical marketing of its "walled garden" as a near-impenetrable defense against malware. The fact that SparkCat managed to embed itself within corporate messaging apps suggests a failure in the static and dynamic analysis tools used during the app review process. Beyond the official stores, Kaspersky also detected the malware being distributed through third-party websites that mimic the interface of the App Store to trick iPhone users into downloading malicious configuration profiles. This multi-channel distribution strategy highlights the limitations of relying solely on platform-level security for financial protection.
From a market perspective, the SparkCat resurgence underscores the growing vulnerability of the "mobile-first" crypto economy. As more retail investors manage their portfolios exclusively through smartphones, the incentive for developers to create specialized financial Trojans increases. While Kaspersky has reported the malicious apps to Google and Apple for removal, the delay between infection and discovery often leaves a window of several weeks where user funds are at risk. The incident serves as a reminder that even "legitimate" apps from official sources can serve as vectors for high-stakes financial theft when attackers utilize sophisticated evasion tactics.
Explore more exclusive insights at nextfin.ai.
