Who do you trust when an app promising convenience can quietly betray the most sensitive piece of a crypto user’s life: the recovery phrase? Cybersecurity researchers say a new SparkCat variant now on both major app stores is doing exactly that — and it is hiding in plain sight.
A deceptive new variant discovered
Cybersecurity researchers have discovered a new version of the SparkCat malware on the Apple App Store and Google Play Store, more than a year after the trojan was discovered targeting both mobile operating systems. According to the reporting, this variant is designed to steal images of crypto wallet recovery phrases.
How it is delivered and where it hides
The malware has been found to conceal itself within seemingly benign apps, such as enterprise messengers and food delivery services, while continuing to appear legitimate in the storefronts where users expect safety. The discovery on both the Apple and Google stores shows the trojan’s authors are distributing the code through widely used official channels.
Why this matters
- For users: the explicit targeting of recovery phrase images raises direct risks to personal crypto wallet security, because those images contain the data needed to restore wallets.
- For technologists and app reviewers: finding a new SparkCat variant inside apps marketed through official stores underscores gaps in detection and the challenges of preventing malicious code from appearing inside otherwise legitimate-looking applications.
- For policymakers and platform operators: the presence of malware on both storefronts, more than a year after the original trojan was identified, highlights the ongoing tension between rapid app distribution and the need for robust review and monitoring processes.
- For adversaries: concealing malware in commonplace categories such as messaging or food delivery increases the potential reach and plausibility of social engineering that lures users into exposing sensitive images.
What to watch next
The discovery is a reminder that official distribution channels are not immune to sophisticated trojans and that the particular focus on crypto wallet recovery phrase images raises uniquely consequential privacy and security stakes. Observers will likely look for follow-up disclosures from the researchers who discovered this variant and for responses from the stores where the apps were hosted.
How will platforms, app reviewers and users adjust to an adversary that can hide in everyday apps and aim directly at the secret images people rely on to safeguard digital assets?
https://thehackernews.com/2026/04/new-sparkcat-variant-in-ios-android.html




