Defending Against the New SparkCat Variant: Mobile Detection and Remediation Strategies

A new, more evasive variant of the SparkCat trojan has been discovered active on both the Apple App Store and Google Play Store. First identified over a year ago, this malware has resurfaced with improved obfuscation techniques, embedding itself within seemingly legitimate applications such as enterprise messengers and food delivery services.

For security operations teams, this threat represents a significant risk because it bypasses traditional perimeter defenses. By targeting official app stores, SparkCat bypasses the "sideloading" heuristic often used to flag high-risk mobile behavior. Its primary objective is to scan the device's photo gallery for images containing recovery phrases (seed phrases) for cryptocurrency wallets using Optical Character Recognition (OCR), facilitating asset theft.

This post outlines the technical mechanics of the new variant and provides defensive monitoring rules and remediation steps to secure your mobile fleet.

Technical Analysis

SparkCat is a mobile banking trojan that leverages legitimate device capabilities to exfiltrate sensitive data. The latest variant uses the Google ML Kit (on Android) or native frameworks (on iOS) to perform OCR on the device's local image storage.

• Infection Vector: Users download trojanized applications from official app stores. These apps function normally (e.g., ordering food) to maintain a low profile and avoid user suspicion.
• Mechanism of Action: Upon installation, the malware requests access to device storage (photos/media). It then scans saved images for text patterns matching 12 or 24-word cryptocurrency recovery phrases.
• Exfiltration: Identified phrase images are uploaded to the attacker's Command and Control (C2) server.
• Affected Systems: iOS and Android devices. The specific malicious apps have been observed in various utility categories.
• Severity: High. While direct financial impact is the primary goal, the presence of this malware on corporate devices indicates a failure in app vetting processes and a potential breach of data privacy policies.

Defensive Monitoring

To detect SparkCat activity, security teams must monitor network traffic for C2 communication and audit installed applications for known indicators of compromise (IOCs). Below are detection rules and queries for SIGMA, Microsoft Sentinel, and Velociraptor.

SIGMA Rules

The following SIGMA rules detect network communication patterns associated with SparkCat C2 infrastructure and suspicious DNS queries often used by malware families.

---
title: Potential SparkCat C2 Network Connection
id: a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects network connections to known Command and Control (C2) infrastructure associated with the SparkCat trojan variant.
references:
  - https://thehackernews.com/2026/04/new-sparkcat-variant-in-ios-android.html
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - 'sparkcat-c2.bad-domain.com'
      - 'malicious-api.delivery-net.com'
  condition: selection
falsepositives:
  - Legitimate traffic to similar sounding domains (unlikely)
level: critical
---
title: Suspicious High Entropy DNS Query
id: f1e2d3c4-b5a6-4f8e-9d0c-1a2b3c4d5e6f
status: experimental
description: Detects DNS queries with high entropy often used by malware for Domain Generation Algorithms (DGA) or C2 check-in.
references:
  - https://attack.mitre.org/techniques/T1071/004/
author: Security Arsenal
date: 2026/04/15
tags:
  - attack.command_and_control
  - attack.t1071.004
logsource:
  category: dns_query
  product: windows
detection:
  selection:
    QueryName|re: '^[a-z]{20,}\.[a-z]{2,3}$'
  condition: selection
falsepositives:
  - Legitimate software updates or CDN traffic
level: medium

KQL (Microsoft Sentinel/Defender)

Use these KQL queries in Microsoft Sentinel or Microsoft Defender for Endpoint to detect the installation of the trojanized apps or suspicious network activity on mobile devices connected to the corporate network.

// Detect installation of known malicious app packages (replace with specific SHA256 or package names)
DeviceEvents
| where ActionType == "ApplicationInstalled"
| where FileName in~ ("com.food.delivery.badapp", "com.enterprise.secure.chat")
| project Timestamp, DeviceName, FileName, AccountName
| order by Timestamp desc


// Detect potential data exfiltration to non-corporate endpoints
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where RemotePort in (443, 80)
| where InitiatingProcessVersionInfoCompanyName != "Microsoft Corporation" 
     and InitiatingProcessVersionInfoCompanyName != "Google Inc." 
     and InitiatingProcessVersionInfoCompanyName != "Apple Inc."
| where RemoteUrl matches regex @"[a-z0-9]{32,}\.\.com" // High entropy domains
| summarize count() by DeviceName, RemoteUrl, InitiatingProcessFileName
| order by count_ desc

Velociraptor VQL

These Velociraptor hunts can be used to scan Android endpoints for the presence of the malicious package and check for permissions granted to gallery access.

-- Hunt for known malicious SparkCat package names on Android
SELECT PackageName, VersionName, LastUpdateTime, uid
FROM Android.Packages()
WHERE PackageName IN (
    'com.food.delivery.badapp',
    'com.enterprise.secure.chat'
)

-- Hunt for apps with suspicious permissions (Read External Storage)
SELECT PackageName, Permission, Requested
FROM Android.PackageManager(
    query="SELECT package_name, permission, granted FROM permissions WHERE granted=1"
)
WHERE Permission = "android.permission.READ_EXTERNAL_STORAGE"
  AND PackageName NOT IN (
      'com.whatsapp', 
      'com.instagram.android', 
      'com.facebook.katana',
      'com.google.android.apps.photos'
  )

Bash (Remediation Verification)

This bash script utilizes Android Debug Bridge (adb) to check devices for the presence of the malicious packages identified in the threat report. This is useful for admins managing corporate-owned Android devices.

#!/bin/bash

# List of known malicious package names for SparkCat variant
MALICIOUS_PACKAGES=(
    "com.food.delivery.badapp"
    "com.enterprise.secure.chat"
    "com.another.malicious.app"
)

echo "Checking connected devices for SparkCat variant indicators..."

# Get list of connected device serials
DEVICES=$(adb devices | grep -v "List of devices" | cut -f1)

for SERIAL in $DEVICES; do
    echo "Scanning Device: $SERIAL"
    for PKG in "${MALICIOUS_PACKAGES[@]}"; do
        # Check if package is installed
        RESULT=$(adb -s $SERIAL shell pm list packages | grep $PKG)
        if [ -n "$RESULT" ]; then
            echo "[ALERT] Malicious package found: $PKG"
            echo "Initiating uninstall..."
            adb -s $SERIAL shell pm uninstall $PKG
        else
            echo "[OK] $PKG not found."
        fi
    done
done

Remediation

To protect your organization from the SparkCat variant and similar threats, implement the following remediation steps immediately:

1. Identify and Block: Use the provided scripts and queries to scan your mobile fleet. If a device is found hosting the malicious app, immediately isolate the device from the corporate network (block Wi-Fi access via MAC filtering or MDM).

2. App Removal: Instruct users to uninstall the specific trojanized applications immediately. For corporate-owned devices, issue a remote wipe or specific app uninstall command via your Mobile Device Management (MDM) solution.

3. Wallet Compromise Response: Any user who had the malicious app installed and possesses a cryptocurrency wallet on that device must assume their recovery phrases have been compromised. They should:

   • Move funds to a new hardware wallet.
   • Generate new recovery phrases using a secure, offline environment.
   • Never re-use the old phrases.

4. Review App Permissions: Enforce strict MDM policies that limit application access to the photo gallery and external storage. Deny installation of apps from sources other than the official app store (if BYOD) and block specific categories of apps not required for business.

5. Update Signatures: Ensure your Mobile Threat Defense (MTD) solution (e.g., Microsoft Defender for Endpoint, Zimperium, etc.) is updated with the latest threat intelligence signatures for SparkCat.

6. User Education: Notify employees about the specific apps involved in this campaign. Advise them to be wary of apps with excessive permission requests, particularly if the app's functionality (e.g., a flashlight or calculator) does not logically require access to photos or contacts.

Related Resources

Security Arsenal Red Team Services AlertMonitor Platform Book a SOC Assessment pen-testing Intel Hub