SparkCat
SparkCat is a cross-platform mobile stealer/spyware campaign targeting Android and iOS, distributed via trojanized applications in both official and unofficial app stores, including Google Play and Apple’s App Store. Researchers reported activity beginning at least as early as March 2024, with later variants still appearing in official stores in early 2026. The malware is commonly described as a crypto stealer focused on harvesting cryptocurrency wallet recovery or mnemonic phrases from victims’ photo galleries.
SparkCat embeds a malicious SDK in Android apps and a malicious framework or library in iOS apps. It requests or abuses gallery/photo access, uses OCR to scan stored images for wallet seed phrases or attacker-supplied keywords, and selectively exfiltrates matching images to attacker-controlled infrastructure. Multiple reports state it used Google ML Kit OCR in earlier Android and iOS variants; a newer iOS variant used Apple’s Vision framework. On Android, SparkCat also used obfuscation, code virtualization, and a concealed Rust-based malicious library in newer samples.
Reported C2 behavior includes retrieval of encrypted configuration data, keyword lists, and OCR filtering parameters from attacker infrastructure, including endpoints such as /api/e/config/rekognition, /api/e/config/keyword, /api/e/img/uploadedCheck, /api/e/img/rekognition, and domain api.aliyung.org, which was linked to Trojan.AndroidOS.SparkCat and categorized as Botnet C&C. One recovered configuration also referenced api.aliyung.com:18883 for Rust-based C2. Researchers reported HTTP encryption using AES-256-CBC for outbound data and AES-128-CBC for decrypted responses in some Android samples, while the Rust component compressed data with ZSTD and encrypted it with AES-GCM-SIV.
SparkCat was found in apps posing as food delivery, messaging, exchange, banking, chat, and other legitimate mobile applications. ESET reported infected Android apps on Google Play with more than 242,000 downloads. Kaspersky and ESET both reported that SparkCat-infected apps reached Apple’s App Store, with ESET describing it as the first known case of a stealer found there. Apple removed identified malicious iOS apps in February 2025, Google removed identified Android apps in February 2025, and later reports state additional SparkCat-infected apps were again found and removed from both stores in 2026.
Targeting appears centered on cryptocurrency users. Reports state the campaign primarily targeted users in Asia, including the UAE, Southeast Asia, China, Japan, and Korea, while multilingual keyword lists indicate broader targeting across Europe and Asia. The Android variant searched for Japanese, Korean, and Chinese keywords in some newer reporting, while the iOS variant searched for English mnemonic phrases, suggesting broader reach. Researchers noted Chinese-language comments and error messages and assessed the operator was likely Chinese-speaking, but available reporting did not attribute SparkCat to a known threat group.
Associated detections mentioned in the content include HEUR:Trojan.AndroidOS.SparkCat.* and HEUR:Trojan.IphoneOS.SparkCat.*. Related reporting also links a separate image-stealing campaign named SparkKitty to SparkCat based on shared frameworks, overlapping infected apps, and matching iOS debug paths.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
We cannot confirm with certainty whether the infection was a result of a supply chain attack or deliberate action by the developers.
The malware was distributed through unofficial sources as well as Google Play and App Store... In both the Android and iOS versions, the malicious payload was part of the app itself, not of a third-party SDK or framework. | The threat actor distributed apps containing a malicious SDK/framework... On iOS, the malicious payload is delivered as frameworks (primarily mimicking AFNetworking.framework or Alamofire.framework) or obfuscated libraries disguised as libswiftDarwin.dylib, or it can be embedded directly into the app itself.
Execution
2 techniques
Execution
Stealth
6 techniques
Stealth
It was originally obfuscated, so we statically deobfuscated it before analyzing.
It retrieves the Base64-encoded value of the ccc key... decoded and then decrypted using AES-256 in ECB mode... The decrypted value is a list of URLs...
Le cheval de Troie se déguise en application légitime pour scanner discrètement la galerie photos de l’utilisateur... Il se propage via des applications infectées en apparence anodines : messageries d’entreprise et applications de livraison de repas figurent parmi les vecteurs identifiés.
Once a configuration has been downloaded, Spark decrypts a payload from assets and executes it in a separate thread. It uses XOR with a 16-byte key for a cipher.
Credential Access
2 techniques
Credential Access
Discovery
5 techniques
Discovery
the handler requests access to the device’s image gallery. If the pw flag in the aforementioned object is equal to 1, the module will keep requesting access if denied.
The SDK then uploads device information to /api/e/d/u on the C2 server.
Обфусцированная вредоносная библиотека на Rust расшифровывалась с помощью виртуальной машины, созданной атакующими, по устройству похожей на Dalvik.
Collection
5 techniques
Collection
Some of these scanned users’ image galleries in search of crypto wallet access recovery phrases.
The reasoning behind the SDK’s request seems sound at first: users may attach images when contacting support.
the malware is flexible enough to steal not just these phrases but also other sensitive data from the gallery, such as messages or passwords that might have been captured in screenshots.
These parameters are used by processor classes that filter images by OCR-recognized words.
It would then use an OCR model to select and exfiltrate images of interest... ML Kit searched for text blocks and then broke them down into lines. If at least three lines containing a word with a minimum of three letters were found, the Trojan would send the image to the attackers’ server.
Command and Control
4 techniques
Command and Control
Spark uses POST requests to communicate with the “http” server.
The JSON is sent to the server with the help of the native libmodsvmp.so library via the unidentified protocol over TCP sockets.
IOCs tracked for this family
85 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A crypto-stealing malware found in Android and iOS apps. On Android it used a heavily obfuscated Rust library decrypted via an attacker-created virtual machine; on iOS it used Apple's Vision framework for OCR.
Mobile trojan targeting cryptocurrency users by masquerading as legitimate apps, requesting access to photo galleries, using OCR to scan images for wallet recovery phrases, and exfiltrating relevant images to attackers.
Mobile malware hidden in seemingly benign iOS and Android apps that scans victims' photo galleries using OCR to find cryptocurrency wallet recovery phrases and exfiltrates matching images to attacker-controlled servers.
Mobile malware that hides inside seemingly benign apps and scans users' photo galleries using OCR to identify cryptocurrency wallet recovery phrases, then exfiltrates relevant images to an attacker-controlled server.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.