Kaspersky Uncovers SparkCat Malware Stealing Crypto Recovery Phrases

Kaspersky has identified a sophisticated malware campaign, SparkCat, designed to secretly extract cryptocurrency recovery phrases from user devices. Embedded in seemingly harmless apps, the malware infected nearly 242,000 users before being removed from Google Play and the App Store.

How SparkCat Operated in Secrecy

Unlike traditional crypto scams that lure victims with financial promises, SparkCat functioned covertly, making its true financial impact difficult to quantify. Active since March 2024, the malware was distributed through food delivery and AI chatbot applications, allowing attackers to scan phone galleries for sensitive data.

According to Kaspersky’s cybersecurity report, SparkCat leveraged machine learning to analyze images for recovery phrases and passwords. By disguising itself within everyday apps, it bypassed user suspicion while quietly extracting private keys.

Extent of the Damage and Attribution

While Kaspersky has not confirmed the exact amount of stolen funds, researchers describe SparkCat as one of the most sophisticated crypto-related attacks in recent years.

• The primary targets were users in Europe and Asia.
• Analysis of the malware’s source code suggests Chinese origins.
• The affected apps have since been removed from app stores.

A Shift in Crypto Theft Strategies

This discovery comes at a time when crypto-related malware attacks had been declining, with scammers shifting to social media-driven meme coin schemes. However, SparkCat’s approach—focusing on stealth rather than deception—raises concerns about whether similar AI-powered threats could emerge in the future.

Unlike traditional scams that exploit greed, SparkCat targeted users’ negligence, silently extracting valuable data without requiring direct interaction.

Future Implications for Cybersecurity

SparkCat’s ability to evade multiple security protocols highlights evolving risks in crypto security. Experts warn that new malware strains could adopt similar techniques, emphasizing the need for enhanced user awareness and device security measures.

As the digital asset space continues to grow, cybersecurity firms and regulators may need to reassess current protections against increasingly sophisticated crypto-targeting threats.