Back to Blog
Research 1 min read

SparkCat Android Malware

SparkCat Android Malware

Our threat intelligence team at SecneurX has identified an active SparkCat malware variant currently live on the Google Play Store using the SecneurX Advanced Malware Analysis platform, which performs dynamic analysis of files across multiple detonation environments and different OS versions, supporting Windows, Linux, BOSS Linux, Android, and macOS across the latest, latest-1, and latest-2 OS versions. The findings are alarming.

What Did We Find?

As part of SecneurX's ongoing mission to keep the community secure, we continuously monitor and analyze every application hosted on the Google Play Store. During this analysis, our team identified a suspicious application disguised as a Chinese food delivery service:

App Name: come live - come come
Package: com.wFaceview_13589660
SHA256: 5029bb8a5b11d6e19f5e042fa9d93268b5d90a9735e1cb065cb1146079462645
Last Updated: April 27, 2026
Severity: CRITICAL
come live-come come app playstore image
come live-come come app playstore image

Using the SecneurX Advanced Malware Analysis platform, the app was caught communicating with a confirmed malicious C2 server, kefu[.]helps[.]live, independently verified as malicious by multiple threat intelligence platforms.

What is SparkCat?

SparkCat is one of the most deceptive mobile infostealers in the wild today. First documented in early 2025, it has now returned with a more obfuscated 2026 variant. Here is how it works and why it is so dangerous:

  1. It hides in plain sight. The malware embeds itself as a fake analytics SDK called "Spark" inside legitimate-looking apps, including food delivery services, chat apps, and enterprise tools, and passes app store security reviews undetected.
  2. It weaponizes your photo gallery. Once installed, SparkCat requests access to your photo gallery. While many apps make this request, underneath it activates an OCR (Optical Character Recognition) engine built on Google's own ML Kit, silently scanning every image and screenshot on your device.
  3. It is hunting for your crypto wallet. The OCR engine specifically looks for cryptocurrency wallet seed and recovery phrases captured in screenshots. It supports English, Chinese, Japanese, Korean, and European languages, making this a globally targeted campaign.
  4. It exfiltrates over a custom Rust protocol. Matched images are instantly sent to the attacker's C2 server over a custom protocol written in Rust, deliberately chosen to evade standard network detection tools.
  5. The theft is permanent. With your wallet recovery phrase, attackers can drain your entire cryptocurrency wallet from any device, anywhere in the world. There is no reversal.

Why This 2026 Variant is More Dangerous

The latest variant raises the stakes further:

Indicators of Compromise

3 indicators
Domains
kefu[.]helps[.]live
URLs
hxxps[:]//kefu[.]helps[.]live/v1/webimplugin/tenants/0/options/visitorKeepaliveHeartbeatDelay
SHA256 Hashes
5029bb8a5b11d6e19f5e042fa9d93268b5d90a9735e1cb065cb1146079462645

How to Protect Yourself and Your Organization

Never screenshot your crypto wallet seed or recovery phrases. Store them offline, in physical form only. Be selective with gallery permissions. If a food delivery or chat app requests photo access, ask yourself why. Keep Google Play Protect enabled and regularly audit installed apps. Use mobile threat defense (MTD) solutions that monitor app behavior at runtime, not just at install time. Block the IOCs above at your network perimeter and mobile endpoint controls.