SparkCat Malware Steals Crypto From Camera Rolls

Your seed phrase is not safe just because you hid it between vacation photos and food pics. SparkCat knows where to look.

Security researchers are warning about a new wave of SparkCat malware, a trojan that targets crypto users by scanning smartphone photo galleries for wallet recovery phrases. The ugly part is simple: it has shown up inside apps that passed review on both Apple's App Store and Google Play, which kills the usual "just use official stores" comfort blanket. ^[1]

Enjoy articles without ads?

How SparkCat actually steals crypto

SparkCat is built to hunt for one thing: wallet recovery phrases. Those 12 or 24 words are the master key to a wallet, and once an attacker has them, funds can be drained without needing your password, face scan, or phone.

The malware reportedly hides inside apps that look normal enough to install. After launch, it asks for permissions, including access to photos. If the user grants that access, the app silently scans images stored on the device. ^[2]

OCR is the attack surface

What makes SparkCat stand out is its use of optical character recognition, or OCR. That means it can read text inside screenshots and photos, not just filenames or metadata. ^[3]

If the malware spots wallet-related keywords in an image, it sends the flagged file to a remote server controlled by the attacker. Translation: that screenshot of your seed phrase is basically loot.

Researchers have described SparkCat as an evolved version of a trojan first identified in early 2025. This newer strain appears better disguised and more effective at slipping into legitimate-looking mobile apps. ^[4]

DeepMind Warns of Six AI Agent Web Attacks

Why this is a bigger deal than a normal app scam

Most crypto theft malware goes after clipboard data, fake wallet popups, or browser extensions. SparkCat goes after a habit a lot of users know is dumb, but still do anyway: saving sensitive info in the camera roll.

That matters because photo galleries often become an accidental backup vault. Users screenshot seed phrases during wallet setup, save exchange recovery codes, or photograph handwritten notes for convenience. Bad opsec, yes. Common opsec, also yes.

Official app stores are not a full shield

Researchers reportedly found infected apps on iOS and Android, then had them removed. At least two compromised apps were identified in Apple's store and one in Google Play, with additional distribution happening through third-party sites. ^[5]

That cross-platform angle is what makes this story sting. Apple users like to post the "it just works" meme. Malware clearly did too.

Passing store review does not mean an app is clean forever, and malicious code can be hidden in ways that are difficult to spot during automated checks. For crypto users, the lesson is blunt: trust less, verify more.

What users should do right now

First, stop storing seed phrases as screenshots or photos. If your recovery words live in your camera roll, assume that is an unnecessary risk and remove them.

Second, audit app permissions. Any random utility, chat app, shopping app, or image editor asking for full photo access deserves side-eye. On both iPhone and Android, review which apps can see your gallery and revoke access where it is not essential.

Clean up the obvious attack paths

Delete old screenshots of seed phrases, private keys, exchange backup codes, and ID documents tied to financial accounts. Also clear "recently deleted" folders and cloud photo backups if those images were synced.

Use offline storage for recovery phrases. That can mean writing them down and storing them securely, or using a dedicated backup method designed for sensitive key material. The point is simple: your wallet backup should not sit in the same gallery as memes and dog photos.

Keep phones updated, avoid sideloading from sketchy sites, and be skeptical of apps with thin reputations or weird permission requests. None of that is bulletproof, but it cuts down easy attack surface.

ZachXBT Alleges $420M in Circle USDC Failures

Why it matters

SparkCat is a reminder that crypto security failures often start with convenience. Not some elite zero-day, just people putting the keys to the vault in the photo album.

For the industry, this is another hit to the idea that self-custody risks are mostly about blockchains and smart contracts. A lot of losses still come from the weakest layer in the stack: the user device.

If you have seed phrase screenshots on your phone, fix that now. If app store malware keeps slipping through, expect more attacks aimed at everyday habits, not just hardcore degens. If convenience wins, bags get rekt.