Hello, supercycle of crypto-crime. A new trojan called SparkKitty has been detected in the App Store and Google Play that infects smartphones and steals sensitive data, potentially allowing attackers to empty victims’ crypto wallets.
Malware is embedded in applications related to crypto trading, gambling, and even modified versions of TikTok.
Once installed through deceptive preparation profiles — which are used to run iOS apps or modified apps — SparkKitty requests access to the gallery. Once it is granted permission, it monitors changes, creates a local database of stolen images, and uploads the photos to a remote server.
Experts suspect that the purpose of stealing the images is to search for screenshots of seed phrases from crypto wallets.
Currently, the malware mainly targets victims in China and Southeast Asia.
Malware such as SparkKitty allows attackers to use data from infected devices to find wallet credentials. Seed phrases are extremely valuable because they give full access to a user’s crypto wallet.
SparkKitty is related to the SparkCat spyware, first detected in January 2025, which similarly used malicious SDKs to gain access to photos on users’ devices.
While SparkCat focused its spyware on images with seed phrases using optical character recognition (OCR) technology, SparkKitty stole all images.
Source: Securelist