If you have ever taken a screenshot of your crypto wallet recovery phrase, you need to read this guide. Security researchers at Kaspersky uncovered a malware campaign called SparkCat that does something deceptively simple but devastating: it scans every photo on your phone looking for images that contain your wallet recovery words. The malware was found inside apps on both Google Play and Apple’s App Store, meaning even careful users who only download from official stores were at risk. This guide walks you through exactly what happened, why it matters for your crypto holdings, and the concrete steps you need to take right now to protect your assets.
The Basics
Your crypto wallet recovery phrase—usually 12 or 24 words—is the master key to all your cryptocurrency. Anyone who has these words can access your wallet and transfer your funds, regardless of what device or security measures you use. Most wallet applications display this phrase when you first create a wallet and strongly recommend writing it down on paper. However, many users instead photograph or screenshot the phrase for convenience, storing it in their phone’s photo gallery where it sits alongside vacation pictures and dinner photos.
SparkCat malware exploits this common habit. It uses optical character recognition—the same technology that lets you copy text from photos—to scan through your images looking for patterns that match recovery phrases. When it finds a match, it silently sends that image to the attacker’s server. With Bitcoin trading around $96,600 and Ethereum near $2,675, a single compromised recovery phrase could mean the loss of thousands of dollars in cryptocurrency.
The malware was embedded in seemingly innocent apps including a food delivery application called ComeCome. Over 242,000 people downloaded infected Android apps before Google removed them on February 7, 2025. Apple removed infected iOS apps the day before. The campaign had been running undetected since at least March 2024.
Why It Matters
This attack works because it targets a behavior, not a technical vulnerability. Your phone’s security software cannot distinguish between you opening a photo of your recovery phrase and you opening any other image. The malware uses Google’s own legitimate ML Kit library for text recognition, which means the OCR functionality appears normal to security scanners.
Cryptocurrency transactions are irreversible. Once an attacker uses your recovery phrase to transfer your Bitcoin, Ethereum, or any other token, there is no customer service number to call and no bank that can reverse the transaction. The blockchain is designed to be immutable, which is excellent for trustless transactions but devastating when your private keys are compromised.
This threat is particularly relevant for new crypto users who may not fully understand the importance of the recovery phrase. If you set up a wallet years ago, took a screenshot of your seed phrase, and forgot about it, that image is still sitting in your photo gallery waiting to be found by the next piece of malware that gains access.
Getting Started Guide
Step 1: Delete all recovery phrase images immediately. Open your phone’s photo gallery and search for any screenshots or photos containing your wallet recovery words. Delete them and then empty your trash or recently deleted folder. On both iOS and Android, deleted photos remain recoverable for 30 days unless you manually empty the trash.
Step 2: Migrate to a new wallet. If your recovery phrase was ever photographed or stored digitally, assume it is compromised. Create a brand new wallet using a hardware device like a Trezor or Ledger, transfer all your funds to the new wallet, and never photograph the new recovery phrase. Write it down on paper or engrave it on a metal backup plate designed for this purpose.
Step 3: Restrict app photo access. Go through every app on your phone and revoke photo gallery access for any app that does not genuinely need it. On iOS, go to Settings, Privacy and Security, Photos. On Android, go to Settings, Privacy, Permission manager, Photos and videos. Most apps should have No Access or Selected Photos Only rather than full gallery access.
Step 4: Audit your installed apps. Review all applications installed on your phone and delete any you do not actively use. Pay particular attention to apps downloaded between March 2024 and February 2025 that requested photo or storage permissions. The list of apps infected with SparkCat is still being compiled by security researchers.
Common Pitfalls
The biggest mistake is thinking that storing recovery phrases in encrypted notes apps or password managers on your phone provides adequate protection. If malware can read your screen or access your clipboard, these digital storage methods are still vulnerable. The only truly safe approach is physical storage—paper or metal—in a secure location away from your electronic devices.
Another common error is relying on biometric security like Face ID or fingerprint as your only protection. While biometrics prevent unauthorized physical access to your device, they do nothing to protect against malware running within apps that you have already unlocked. SparkCat operates entirely within the permissions you granted to the infected app.
Avoid storing recovery phrases in cloud services like iCloud Photos, Google Photos, or Dropbox. These services sync your photo gallery across devices, meaning a photo of your recovery phrase taken on your phone could end up on your computer, tablet, and cloud servers—dramatically expanding the attack surface.
Next Steps
Once you have secured your current wallets, establish a permanent security routine. Use a hardware wallet for any cryptocurrency holdings above $1,000. Hardware wallets generate and store private keys on a dedicated device that never connects to the internet, making it impossible for malware like SparkCat to access your keys remotely.
Set up monitoring alerts on your wallet addresses using free blockchain explorers like mempool.space for Bitcoin or etherscan.io for Ethereum. These services can send you email notifications when transactions occur on your addresses, allowing you to detect unauthorized transfers quickly. While you cannot reverse blockchain transactions, early detection helps you secure remaining funds before an attacker can drain additional wallets.
Finally, share this knowledge with anyone you know who holds cryptocurrency. The SparkCat campaign affected hundreds of thousands of users, and many victims may not yet realize their recovery phrases have been compromised. Security awareness remains the most effective defense against social engineering and malware attacks in the cryptocurrency space.
Disclaimer: This article is for educational purposes only and does not constitute financial or security advice. Always consult with qualified professionals for specific security concerns.
the sparkcat guide is solid but the real takeaway is simpler: never put your seed phrase anywhere digital. ever. not photos not notes not cloud
Agreed, though I wish more wallet apps warned users explicitly about screenshots during setup. Most just say write it down and move on.
ledger and trezor both warn you during setup but the warning is a tiny checkbox people click through in 2 seconds
Zara and the checkbox is buried in a wall of text nobody reads. wallet UX needs to treat seed phrase storage as a security critical moment, not a setup afterthought
agreed but people will still take screenshots. hardware wallet plus metal backup plate is the only bulletproof solution
nosleep_dev even metal plates can be stolen. the real answer is Shamir secret sharing, split your seed across multiple locations
the step about deleting gallery screenshots of your seed phrase is the most important thing in this entire article. do it now if you havent