SparkCat¶
SparkCat is the first documented malware family to use OCR (optical character recognition) to steal cryptocurrency wallet recovery phrases from device photos, and the first OCR-based stealer to infiltrate both Google Play and Apple's App Store. Kaspersky discovered SparkCat in February 2025, finding it active since at least March 2024 with 242,000+ downloads across both platforms. The malware uses Google ML Kit to scan gallery images for screenshots of cryptocurrency wallet seed phrases, then exfiltrates matching images to C2 servers using a Rust-based communication protocol. A follow-up variant, SparkKitty, was identified in mid-2025 targeting Southeast Asian and Chinese users through fake gambling and TikTok clone apps.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | March 2024 |
| Last Seen | Active (SparkKitty variant, 2025) |
| Status | Active, new variants emerging |
| Type | Cryptocurrency stealer, OCR-based data exfiltration |
| Attribution | Unknown; C2 comments suggest Chinese-speaking developer |
| Aliases | SparkKitty (later variant) |
Vendor Names¶
| Vendor | Name |
|---|---|
| Kaspersky | HEUR:Trojan.AndroidOS.SparkCat |
| McAfee | Android/SparkCat |
| ESET | Android/Spy.SparkCat |
Origin and Lineage¶
SparkCat is independently developed with no known code lineage to existing malware families. However, the OCR-based crypto theft technique has a parallel: McAfee documented the SpyAgent campaign in September 2024, which independently uses OCR to steal crypto seed phrases from device photos targeting Korean users. The two operations appear to be separate actors converging on the same technique, indicating OCR-based credential theft is an emerging threat pattern.
SparkCat is cross-platform, operating on both Android and iOS. This is unusual for mobile malware families, which typically target a single platform.
Distribution¶
Google Play and App Store¶
SparkCat achieved presence on both major app stores simultaneously:
| Platform | App Types | Downloads |
|---|---|---|
| Google Play | Food delivery, AI assistants, messaging apps | 242,000+ combined |
| Apple App Store | Similar utility categories | Unknown count |
Some carrier apps appear to be legitimate applications compromised with a malicious SDK (supply chain attack), while others were purpose-built by the threat actor.
SparkKitty Variant (2025)¶
Kaspersky documented the SparkKitty follow-up:
| Distribution | Details |
|---|---|
| Fake gambling apps | Targets Southeast Asian users |
| TikTok clones | Social media impersonation |
| Social engineering | Waits for user to open support chat, requests gallery access for "screenshots" |
The SparkKitty variant uses a more targeted social engineering approach: it waits for the user to open an in-app support chat, then requests gallery access under the pretense of attaching screenshots. This provides a legitimate-seeming context for the gallery permission request.
Capabilities¶
| Capability | Description |
|---|---|
| OCR scanning | Uses Google ML Kit to scan gallery images for crypto seed phrases |
| Multi-language OCR | Recognizes seed phrases in English, Chinese, Japanese, Korean, and European languages |
| Selective exfiltration | Only uploads images containing detected seed phrase patterns |
| Gallery monitoring | Monitors photo gallery for new screenshots |
| C2 communication | Rust-based protocol for command and data transfer |
| Cross-platform | Operates on both Android and iOS |
Technical Details¶
OCR Pipeline¶
The core theft mechanism uses Google ML Kit's on-device text recognition:
- Malware requests gallery/photo access (using social engineering context or at installation)
- Scans all images in the device gallery using ML Kit OCR
- Applies keyword matching against a dictionary of seed phrase-related terms (BIP-39 wordlist patterns, "recovery phrase," "seed words," etc.)
- Images matching crypto wallet seed phrase patterns are uploaded to C2
- Monitoring continues for new images added to gallery
The use of on-device ML Kit means OCR processing happens locally without sending all images to a remote server, reducing network footprint and making detection harder.
Rust-Based C2¶
SparkCat's C2 communication uses a custom protocol implemented in Rust, an unusual choice for Android malware:
- Binary protocol over HTTPS
- Rust native library handles serialization and encryption
- Complicates reverse engineering compared to standard Java/Kotlin HTTP clients
- C2 server infrastructure observed with Chinese-language comments in configuration
Keyword Matching¶
The OCR results are matched against localized keyword dictionaries:
| Language | Target Keywords |
|---|---|
| English | "recovery phrase," "seed phrase," "mnemonic," BIP-39 words |
| Chinese | Simplified and traditional crypto wallet terminology |
| Japanese | Japanese translations of wallet recovery terms |
| Korean | Korean crypto exchange terminology |
Permissions¶
| Permission | Purpose |
|---|---|
| READ_EXTERNAL_STORAGE | Access device photo gallery for OCR scanning |
| READ_MEDIA_IMAGES | Access images on Android 13+ devices |
| INTERNET | C2 communication and image exfiltration |
Target Regions¶
| Region | Vector |
|---|---|
| Southeast Asia | Primary target, SparkKitty gambling app lures |
| China | Chinese-language OCR, TikTok clone apps |
| Global | Play Store/App Store distribution reaches worldwide |
Notable Campaigns¶
2024, March: SparkCat begins operating on Google Play and Apple App Store. Multiple apps with combined 242,000+ downloads carry the malicious SDK.
2025, February: Kaspersky publishes SparkCat analysis, documenting the first OCR-based stealer on both major app stores. The research reveals Google ML Kit integration, Rust-based C2, and multi-language seed phrase detection.
2025: SparkKitty variant emerges targeting Southeast Asian users through fake gambling games and TikTok clones. The variant refines social engineering by requesting gallery access during in-app support chat interactions.