|

Apple and Google Pull 20 Apps Tainted by SparkCat Malware: Protect Your Crypto, Photos, and Privacy

ByInnoVirtuoso

What if the harmless photo editor you downloaded was quietly reading the text in your images—your crypto seed phrase, your ID numbers, even the Wi‑Fi password you snapped months ago? That’s exactly the unsettling reality researchers just exposed.

Apple and Google have removed 20 apps from their app stores after Kaspersky investigators found they carried a new strain of mobile malware dubbed SparkCat. Active since March 2024, SparkCat reportedly racked up more than 242,000 installs across iOS and Android before getting the boot. Its trick? Using optical character recognition (OCR) to scan your photo gallery and lift sensitive information—including cryptocurrency wallet recovery phrases.

Google says it banned the developers involved and notes that Play Protect detects known variants. Apple hasn’t issued a public statement at the time of writing. The episode underlines an uncomfortable truth: even “legit-looking” apps can conceal sophisticated data theft schemes and slip past app review for months.

Source: RedSeal’s cyber news roundup summarizes the incident here: RedSeal Cyber News Roundup (Feb 14, 2025). Tech journalists and security researchers are continuing to track the fallout.

Below, we break down what happened, how SparkCat works, who’s most at risk, and the concrete steps you can take right now to protect your crypto and personal data—even if you never downloaded one of the malicious apps.

Quick summary

  • 20 apps containing “SparkCat” malware were removed from the Apple App Store and Google Play Store after a Kaspersky-led investigation.
  • The malware used OCR to scan image galleries, targeting crypto wallet recovery phrases and other sensitive text in photos/screenshots.
  • SparkCat operated since March 2024 and reached more than 242,000 downloads.
  • Google banned the implicated developers and confirmed Play Protect covered known versions. Apple did not make a public statement.
  • The case highlights the limits of app store review and the rise of malware that hides inside legitimate‑appearing functionality (e.g., camera tools, photo utilities).
  • High‑risk users include anyone who screenshots seed phrases, IDs, bank cards, QR codes, or other secrets.
  • Best defenses: never store seed phrases in photos/notes, limit photo permissions per app, migrate crypto to a new seed if exposed, and practice stricter app hygiene.

What happened—and why it matters

Researchers discovered that a cluster of apps—across both iOS and Android—bundled SparkCat, a piece of mobile malware designed to harvest sensitive data by analyzing the text in users’ image libraries. OCR isn’t new; banks and note‑taking apps rely on it to turn pictures into searchable text. But in SparkCat’s hands, OCR becomes a stealthy way to mine your past and present screenshots for secrets.

Key points from early reporting: – The malware had been circulating since March 2024. – Collectively, the rogue apps were downloaded more than 242,000 times. – Google responded by pulling the apps, banning the developer accounts, and emphasizing that Play Protect can block known strains. – Apple removed the apps but did not issue a public statement.

Why it matters: – It’s a supply chain security problem: attackers disguised malicious payloads inside apps that appeared harmless enough to pass automated and manual review. – It preys on a widespread behavior: we screenshot everything—seed phrases, QR codes, boarding passes, account numbers—and sync them across devices and clouds. – It’s a preview of more to come: as on‑device AI and OCR get better, more malware will try to live “in plain sight” inside camera and photo utilities.

For a concise recap, see RedSeal’s roundup. Broader security coverage continues at outlets like TechCrunch’s Security section.

How SparkCat likely worked (in plain English)

While each malicious app can vary, the core playbook looks like this: 1. Masquerade as something routine and useful—photo tools, scanners, filters, file utilities. 2. Request Photos/Media permission. On iOS, this might be Full Access; on Android, modern versions offer scoped access, but many users still grant broad gallery permissions. 3. Run OCR on the images to extract text. Seed phrases (12/24‑word combos), private keys displayed as text, wallet backup instructions, QR codes with embedded keys/addresses, and ID numbers are obvious targets. 4. Cherry‑pick valuable strings and exfiltrate them to a remote server.

Why OCR is such a goldmine: – Many people capture sensitive data via screenshot because it’s “quick.” Examples: wallet recovery phrases, exchanges’ 2FA backup codes, driver’s licenses, bank cards, tax docs, password hints, private Wi‑Fi details, and even hand‑written notes photographed for safekeeping. – OCR can be selective. Malware doesn’t need to upload your entire photo library; it can harvest only the extracted text (or only images that match patterns like “24 words separated by spaces”), reducing bandwidth and detection risk.

The twist: the apps’ advertised features—scanning receipts, improving photo quality, creating PDFs—legitimately require OCR and photo permissions. That dual‑use nature helps the malware blend in and dodge suspicion during app reviews and by users.

How could this slip past app store review?

Even robust reviews have blind spots—especially with adversaries who: – Delay malicious behavior. Payloads that activate days/weeks after install or after certain triggers can evade short test windows. – Use server‑side toggles. Code can stay dormant until a command‑and‑control server flips it on for specific regions or user cohorts. – Hide inside third‑party SDKs. A benign app may unknowingly bundle a tainted analytics/ads/utility SDK that turns malicious later via updates. – Gate functionality behind real user actions. The app works as promised but quietly runs extra tasks (e.g., gallery scans) in the background.

This isn’t new. The mobile ecosystem has weathered large‑scale incidents before, but SparkCat raises the bar with its focus on text extraction from personal photos—a permission users often grant without a second thought.

Who is most at risk?

  • Crypto holders who have ever:
  • Saved or screenshotted a wallet seed phrase or private key.
  • Captured QR codes that encode keys or recovery kits.
  • Stored exchange backup codes in photos.
  • Anyone who keeps photos of:
  • Driver’s licenses, passports, bank cards, checks, tax documents, medical info.
  • Wi‑Fi credentials, serial numbers, license keys, or password hints.
  • Power users who grant Full Photos access to many apps or who install lots of utility apps from unknown developers.

If that sounds like “basically everyone,” you’re not wrong. The ubiquity of screenshots is why OCR‑driven malware is so potent.

What to do if you think you installed one of the removed apps

Take these actions immediately. You don’t need to panic, but don’t delay—especially if you store crypto.

  1. Uninstall the suspicious app(s). – On Android, also run a Play Protect scan: Settings > Security & privacy > App security > Google Play Protect. More info: Play Protect help.
  2. Revoke photo/media permissions broadly. – Android: Settings > Privacy > Permission manager > Photos and videos / Media; or per‑app permissions: Manage app permissions. – iPhone: Settings > Privacy & Security > Photos (or per‑app > Photos). Consider “Selected Photos” or “None.” Apple’s guidance: Control access to information on iPhone.
  3. If you had any crypto seed phrase, private key, or recovery QR in your photos: – Treat it as compromised. Immediately move funds to a new wallet with a brand‑new seed generated on a clean, uncompromised device or a hardware wallet. – Do not type an old seed into the same phone you suspect was infected. Complete the migration first, then wipe or factory‑reset if necessary.
  4. Clean up your photo library. – Delete images that contain sensitive text. Also clear “Recently Deleted/Trash.” – If you sync photos to the cloud, remove them from iCloud Photos or Google Photos and empty trash there too.
  5. Rotate other credentials and enable strong 2FA. – Prioritize email, exchanges, password manager, and banking. Prefer app or hardware key–based 2FA over SMS.
  6. Update your OS and apps. – Install the latest iOS/Android updates and app updates to ensure all security patches are in place.
  7. Monitor your accounts and wallets. – Set up alerts. Watch for unexplained sign‑ins or crypto movements. If funds are at risk, consider moving them preemptively to new addresses.
  8. Report suspicious apps. – Google Play: Report inappropriate apps. – Apple: You can report issues with purchases at reportaproblem.apple.com and escalate suspected malicious apps via Apple Support: Report suspicious activity.

If you’re part of an organization, alert your security team so they can assess device fleets and push policy‑based controls.

Everyday defenses against OCR‑style mobile malware

Think in layers. You don’t need all of these, but each one meaningfully reduces risk.

  • Never store wallet recovery phrases or private keys in photos or notes.
  • Use a hardware wallet or write the seed down and store securely (or use a metal backup plate).
  • Minimize photo permissions.
  • iOS: Prefer “Selected Photos” or “Add Only” access when prompted. Deny Full Access unless absolutely necessary.
  • Android: Use the system Photo Picker when available and decline broad “All photos” access if an app doesn’t truly need it. Dev note: Android Photo Picker.
  • Lock down screenshots and sensitive images.
  • Disable automatic cloud sync for screenshots if you habitually capture sensitive info.
  • Use Google Photos’ Locked Folder for private images (local‑only, device‑locked).
  • Treat QR codes like plaintext.
  • If a QR encodes a private key or recovery data, it’s just as sensitive as the seed phrase itself. Don’t keep it in your camera roll.
  • Harden the device.
  • Keep iOS/Android fully updated.
  • Install apps sparingly, prefer well‑known developers, and be skeptical of utilities that demand broad permissions.
  • On Android, keep Play Protect on. On both platforms, consider reputable mobile security solutions if you’re a high‑risk user.
  • Practice “permission hygiene.”
  • Periodically audit which apps can access Photos, Camera, Files, Clipboard, Contacts, and Notifications—and revoke what’s unnecessary.
  • Use strong account protections.
  • Password manager, unique passwords, phishing‑resistant 2FA (security keys or passkeys where available).

For developers and security teams: – Audit all third‑party SDKs and ad libraries. Maintain a bill of materials (SBOM) for mobile apps. Follow OWASP MASVS guidance: OWASP MAS. – Add dynamic analysis to your app vetting and supply chain procedures. Be cautious with auto‑updating remote configs. – Implement privacy‑by‑default permissions and in‑app explanations that discourage users from granting unnecessary access.

Enterprise and regulated environments: stronger controls

Organizations can materially reduce exposure, even if personal devices are in the mix.

  • Mobile device management (MDM/UEM):
  • Enforce device OS baselines and patch levels.
  • Restrict app installation to allowlists or managed app catalogs.
  • Require “Selected Photos” access on iOS where feasible; block Full Photos for non‑business apps.
  • Mobile threat defense (MTD):
  • Deploy MTD to detect risky app behaviors, anomalous data exfiltration, and suspicious network traffic on both iOS and Android.
  • Data loss prevention (DLP):
  • Apply managed open‑in, clipboard controls, and screenshot restrictions inside sensitive corporate apps.
  • Network safeguards:
  • Use secure DNS and web filtering to block known C2 domains and malware distribution points.
  • Staff education:
  • Teach teams not to screenshot secrets. Provide sanctioned alternatives for storing keys or confidential data.

App store trust is necessary—but not sufficient

The big takeaway from SparkCat isn’t that app stores are broken; it’s that motivated attackers are patient and creative. They exploit gray areas—like dual‑use OCR features—where legitimate needs and malicious goals overlap.

Apple and Google will undoubtedly refine their reviews, train models to spot abuse patterns, and tighten developer policies. But smart attackers will respond in kind. You should keep treating app store presence as one trust signal among many—not a guarantee.

The bigger trend: malware piggybacking on on‑device AI

OCR has been around for decades, but its accuracy, speed, and on‑device footprint have improved dramatically. That tilts the field: – Offline extraction. Malware can harvest text without constant network access, then sync selectively later. – Category camouflage. Camera scanners, PDF builders, “AI photo enhancers,” and note digitizers naturally ask for camera/photos permissions and OCR features. – Targeted harvesting. Models can hunt for tell‑tale structures—12/24‑word phrases, sequences like “seed,” “mnemonic,” or “private key,” and patterns that look like SSNs, IBANs, or driver’s license formats.

Expect more threats to hide in these categories. That doesn’t mean avoid them entirely—just tighten your permission grants and vendor scrutiny.

Spotting trouble: signs (and non‑signs) of image‑harvesting malware

Concrete “indicators of compromise” vary by strain, but general red flags include: – Apps that insist on Full Photos access when “Selected Photos” would do. – Utilities that don’t work unless you grant unrelated permissions (Contacts, precise Location, Notifications) with no clear reason. – Unusual data usage or background activity from a utility that shouldn’t be chatty. – Developer accounts with few other reputable apps, vague websites, or recycled templates.

Note: absence of obvious symptoms doesn’t mean you’re safe. Well‑built malware can be quiet and battery‑friendly. Prioritize prevention and periodic permission audits over trying to “feel” compromise.

Crypto holders: how to safely migrate if you’re exposed

If your seed phrase or private key ever lived in your photo gallery (even for a minute), assume it could have been captured.

  • Create a brand‑new wallet and seed phrase on a trusted device or a hardware wallet, offline.
  • Move funds from old addresses to new addresses. Do not import the old seed on the suspect phone.
  • Update any whitelists/allowlists, smart contract permissions, and dApp connections to point to your new addresses.
  • Avoid reusing the compromised seed for any purpose.
  • Store the new seed securely—on paper or steel—never in photos or cloud notes.

What to watch next

  • App re‑uploads. Attackers often return under new developer accounts or with small code changes to evade signatures.
  • Improved platform controls. Expect further nudges toward “Selected Photos” and one‑time permissions by default.
  • Research disclosures. As security teams publish deeper analyses, more IOCs and affected app categories may emerge. Keep an eye on vendors like Kaspersky Securelist and mainstream coverage at TechCrunch Security.

FAQs

Q: What is SparkCat malware?
A: SparkCat is a mobile malware family that, in this incident, embedded itself in ostensibly legitimate apps and used OCR to scan image galleries for sensitive text—especially crypto wallet recovery phrases—then exfiltrated valuable findings.

Q: Which apps were removed?
A: The platforms removed 20 apps tied to the SparkCat campaign. Specific names have not been provided here; when in doubt, review your recent installs and permissions, and remove any untrusted photo/utility apps. Report suspicious listings to Apple/Google.

Q: If I deleted the malicious app, am I safe?
A: Deleting stops further harvesting, but it doesn’t undo theft. If a seed phrase, private key, or other sensitive data was already captured, you must rotate it—migrate crypto to a new wallet with a fresh seed and change exposed credentials.

Q: How would I know if my seed phrase was stolen?
A: You often won’t—until funds move. If your seed was in your photos, assume compromise and proactively move assets to a new wallet. Keep monitoring the old addresses for any activity.

Q: Did the malware read every photo I’ve ever taken?
A: Behavior varies. Some strains may scan broadly; others look selectively for patterns to minimize noise. If the app had Full Photos access, it had the technical capability to scan. Limiting access to “Selected Photos” sharply reduces exposure.

Q: Does Google Play Protect fully protect me?
A: Google stated Play Protect detects known SparkCat variants. It’s an important layer but not foolproof. Keep it enabled, update devices, and practice permission hygiene.

Q: What about iPhones—is there an Apple equivalent to Play Protect?
A: iOS relies on strict app sandboxing, App Store review, and system‑level controls rather than an on‑device malware scanner. You still need to manage permissions carefully and install fewer, higher‑trust apps.

Q: Should I avoid OCR or photo scanner apps entirely?
A: Not necessarily. Use reputable, well‑reviewed apps from established developers and grant only “Selected Photos.” If an app pressures you for Full Access without a clear reason, walk away.

Q: Are screenshots of wallet seeds really that dangerous?
A: Yes. A screenshot is a perfect copy of your keys. Never capture or store seeds/keys digitally. Keep them offline on paper or metal, and consider a hardware wallet.

Q: Can apps access images stored only in the cloud?
A: If the system presents cloud‑synced photos within your gallery and an app has gallery access, it may be able to process what you can view. Use “Selected Photos” to scope access and avoid storing sensitive images in cloud galleries.

Q: Do I need antivirus on my phone?
A: For many users, good permission hygiene, timely updates, and cautious app installs go far. High‑risk users and enterprises can add reputable mobile threat defense solutions for extra visibility and control.

The clear takeaway

SparkCat is a wake‑up call: the most dangerous malware won’t always look shady. It will wear the clothes of everyday utilities and exploit exactly what you already do—screenshotting your life.

  • Don’t store secrets (especially crypto seeds and private keys) in your photo library.
  • Grant “Selected Photos” by default; reserve Full Access for apps that truly need it.
  • Migrate crypto to a new seed if there’s any chance your old one hit the camera roll.
  • Keep Play Protect on, keep iOS/Android updated, and install fewer, better‑vetted apps.

Trust the app stores—but verify with your own habits. The permissions you deny today are the data breaches you never have to clean up tomorrow.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!