Cybersecurity researchers have uncovered a highly sophisticated method hackers are using to drain cryptocurrency wallets. This method targets a vulnerability most people do not even think about: the photo gallery on your smartphone.

A new evolving strain of malware known as SparkCat has bypassed security reviews on both the Apple App Store and the Google Play Store.

SparkCat, explained 

SparkCat is a Trojan malware that was originally discovered in February 2025. The threat actors have released a heavily disguised version of the virus.

SparkCat is meant to find and steal a user's crypto wallet recovery phrase that makes it possible to drain all the funds. 

The malware does not look like a virus. Instead, the developers hide the malicious code inside seemingly harmless applications.

The researchers identified and removed two infected apps from the iOS App Store and one from the Google Play Store. The malware is also distributed via third-party websites. 

The malware executes a highly effective attack that involves requesting permissions, performing silent scanning, and reading the images with the help of an optical character recognition (OCR) module.

If the OCR technology detects specific keywords, it immediately sends that specific image to the attacker's remote server. 

How to protect yourself? 

Treating your camera roll like a notepad is obviously not a good idea. One should avoid taking or storing screenshots of sensitive information (especially cryptocurrency wallet recovery phrases). 

If you must keep digital copies of important documents or passwords, store them in an encrypted application. 

One should always exercise extreme caution when granting photo or file permissions to new apps.