- SparkKitty Trojan steals images from phones to capture crypto wallet seed phrases, targeting China and Southeast Asia.
- The malware spreads via infected crypto apps, TikTok mods, and gambling apps on iOS and Android app stores.
- SparkKitty is linked to the earlier SparkCat spyware, but it indiscriminately steals all photos for later analysis.
Cybersecurity firm Kaspersky reported on June 23, 2025, that a new mobile Trojan named SparkKitty has been discovered stealing cryptocurrency wallet data by siphoning images from infected smartphones.
The malware primarily targets users in China and Southeast Asia, embedding itself in crypto-related apps, gambling games, and modified versions of TikTok available on the Apple App Store, Google Play, and third-party sites.
SparkKitty gains access through deceptive provisioning profiles or app disguises, requesting permission to access users’ photo galleries.
It then continuously monitors for new images, creating a local database of stolen photos uploaded to remote servers.
Kaspersky suspects the attackers’ main goal is to capture screenshots of crypto wallet seed phrases—critical credentials that allow full access to users’ wallets.
This malware campaign is believed to be an evolution of the earlier SparkCat spyware, which used optical character recognition (OCR) to selectively extract images containing seed phrases.
Unlike SparkCat, SparkKitty indiscriminately steals all photos, presumably for later analysis.
Notable infected apps include “Coin,” a fake crypto tracker on the App Store, and “Soex Wallet Tracker,” a messaging app with crypto features downloaded over 10,000 times from Google Play before removal.
The malware’s spread through official app stores highlights ongoing challenges in detecting sophisticated threats.
With crypto thefts linked to seed phrase compromises accounting for a large share of losses, SparkKitty underscores the urgent need for users to safeguard wallet credentials and exercise caution when downloading apps.
Edited by Annette George
