A new mobile malware called SparkKitty is silently invading smartphones, searching image libraries for cryptocurrency seed phrases to steal funds.
Cybersecurity firm Kaspersky uncovered the threat after months of monitoring suspicious activity across both Android and iOS platforms.
The malware is hidden inside seemingly harmless apps and has already affected thousands of users, mostly in China and Southeast Asia.
SparkKitty is embedded in various crypto-themed apps, such as portfolio trackers and messaging tools, as well as adult games, casino platforms, and counterfeit TikTok clones.
One compromised app, SOEX, was a messaging platform with crypto exchange features and had already been downloaded over 10,000 times before Google removed it.
Another, known as 币coin, posed as a crypto price tracker and was hosted on Apple’s App Store.
Once installed, the apps behave like regular tools while quietly requesting permission to access photo galleries.
After access is granted, the malware begins scanning for potential wallet recovery phrases hidden in screenshots or handwritten notes.
On Android devices, the malware uses modified Java libraries along with Google’s ML Kit to identify seed phrases via optical character recognition (OCR).
On iOS, attackers embedded a hidden class into networking frameworks like AFNetworking or Alamofire.
This class activates automatically at launch using Objective-C’s +load method, checks a configuration setting, then connects to a command-and-control (C2) server to receive instructions.
The stolen images are sent to external servers via encrypted communications, with malware variants using spoofed OpenSSL libraries and obfuscated paths like `/api/putImages` and `/api/getImageStatus`.
The iOS version bypasses normal restrictions by abusing Apple’s enterprise provisioning system.
Victims are tricked into manually trusting a developer certificate linked to “SINOPEC SABIC Tianjin Petrochemical Co. Ltd.”
Once installed, the malware operates with near-system-level access, enabling it to scan photos without alerting the user.
Kaspersky’s researchers noted this tactic makes it harder to detect compared to more conventional threats.
Kaspersky analysts Sergey Puzan and Dmitry Kalinin wrote,
“Although we suspect the attackers’ main goal is to find screenshots of crypto wallet seed phrases, other sensitive data could also be present in the stolen images.”
SparkKitty appears to be an evolved version of SparkCat, a malware first flagged in January 2025 that also targeted photo galleries to extract seed phrases.
Both strains share similarities in code, debug symbols, and infection techniques.
Translated image of SparkCat process (Source: X)
However, SparkKitty shows broader ambitions by indiscriminately uploading entire photo libraries rather than scanning locally.
While SparkCat mainly operated through unofficial Android downloads, SparkKitty has managed to breach official app stores, significantly raising the risk of exposure to regular users.
The malware campaign highlights the ongoing danger to crypto holders.
Seed phrases — the recovery keys to cryptocurrency wallets — remain highly sought after by cybercriminals due to their direct link to user funds.
According to TRM Labs’ 2024 report, over 70% of the $2.2 billion in crypto thefts last year stemmed from private key and seed phrase compromises. SparkKitty fits directly into this pattern.
Despite the removal of several infected apps, Kaspersky warns that SparkKitty’s campaign may still be active via sideloaded versions and clone stores, with no region-specific limitations.
Puzan and Kalinin said,
"While not technically or conceptually complex, this campaign has been ongoing since at least the beginning of 2024 and poses a significant threat to users."
OpenAI partners with Axel Springer to integrate AI into journalism, aiming to enhance news access and accuracy while navigating challenges of misinformation and the need for human oversight.
YouQuanAmidst a dynamic shift in the crypto exchange market, DEXs experience a surge in trading volumes while CEXs like Binance and Coinbase maintain a dominant market share.
YouQuanLine Next, the NFT subsidiary of Line, the Japanese messaging giant, successfully concluded a substantial $140 million funding round. Spearheaded by Crescendo Equity Partners, this investment stands out as the most substantial support for an Asian blockchain company this year.
JoySnapchat+ transforms creativity for 7 million users with AI features, offering enhanced images, instant snaps, and upgraded Dreams effects, marking strategic advances in engagement and growth.
Hui XinInvestors in Australia are counting losses in the wake of crypto investment schemes, such as HyperFund and HyperVerse, escaping regulatory scrutiny despite international alerts branding them as potential scams. The schemes, led by Sam Lee and Zijing "Ryan" Xu, founders of the now-collapsed Blockchain Global, have left thousands globally unable to withdraw funds. Concerns arise about Australia's regulatory role in warning investors and addressing high-risk schemes.
JoyKuCoin settles for $22 million, ending operations in New York to comply with regulations—a significant move in the crypto industry's compliance journey.
Hui XinFlutterwave expands its executive team with experienced hires from leading firms like Binance.US and PayPal, signalling ambitious global growth and a strategic shift in leadership.
YouQuanOur market analysts link this surge directly to the recent launch of the Kujira oracle in October and the introduction of the Kujira treasury in November 2023.
BrianSolana's SOL price holds strong above key support levels, hinting at a potential 20% rise amid bullish trends and resistance challenges.
YouQuanMatt Hougan, Bitwise Asset Management's Chief Investment Officer, reveals the company's proactive stance in the race for the first spot Bitcoin ETF. Despite regulatory uncertainties, Hougan asserts, "We're preparing as though there’s going to be a launch."
Joy