Malware named SparkKitty surreptitiously snatches images from galleries in pursuit of hidden crypto wallet seed phrases.
**New Mobile Threat: SparkKitty Malware Targets Cryptocurrency Users**
A new malware threat, named SparkKitty, has been uncovered by Kaspersky Lab's research arm, SecureList. This sophisticated mobile malware is designed to target both iOS and Android devices, primarily focusing on users in Southeast Asia and China. The malware's main objective is to steal images from users' photo libraries to extract sensitive information such as cryptocurrency wallet seed phrases and recovery data.
### Connection to SparkCat
SparkKitty is believed to be a successor to SparkCat, an earlier spyware campaign discovered in January 2025, which similarly targeted crypto wallets by using optical character recognition (OCR) to detect and exfiltrate images containing wallet recovery phrases. Both malicious programs utilize OCR technology to sift through images to find valuable data, but SparkKitty is noted for its broader and more aggressive image theft strategy, uploading images in bulk rather than selectively.
### Target Platforms and Infection Methods
#### iOS:
On iOS devices, SparkKitty is delivered through fake software frameworks or enterprise provisioning profiles that appear legitimate but run malicious code when the infected app launches. It leverages native Objective-C methods to stealthily monitor and steal images. Attackers have used frameworks mimicking common libraries like AFNetworking or Alamofire and obfuscated library files such as libswiftDarwin.dylib to hide the payload.
#### Android:
On Android, the malware hides in apps written in Java or Kotlin and sometimes uses malicious Xposed or LSPosed modules. It activates on app launch or when a specific screen appears, decrypting configuration files from remote servers to begin uploading sensitive images and device data.
### Distribution and Reach
SparkKitty has infiltrated official app marketplaces, including the Google Play Store and Apple App Store, before removal. For example, the Android app "SOEX," a messaging app with cryptocurrency features, had over 10,000 downloads before being taken down. On iOS, malicious apps like 币coin were removed following discovery. Additionally, SparkKitty spreads through unofficial channels such as fake app stores and phishing sites distributing modified app clones.
### Main Objective
Unlike typical spyware, SparkKitty does not just monitor activity; it bulk uploads photos, mostly targeting images containing cryptocurrency wallet seed phrases, wallet screenshots, IDs, and sensitive documents. These images are then sifted by criminals to extract valuable personal and financial data.
### Geographic Focus
The malware primarily targets users in Southeast Asia and China, likely due to the high prevalence of cryptocurrency usage and related apps in these regions.
It is essential for users to be vigilant and conduct their own research before downloading any apps, especially those related to cryptocurrency. Users are also encouraged to consult with a qualified financial adviser before making any investment decisions.
The SparkKitty malware, a sophisticated threat discovered by Kaspersky Lab's SecureList, uses optical character recognition technology to steal images containing sensitive information such as cryptocurrency wallet seed phrases and recovery data from users' photo libraries. Unlike typical spyware, this malware bulk uploads photos, primarily targeting users in Southeast Asia and China due to the high prevalence of cryptocurrency usage and related apps in these regions. It's crucial for users to be cautious and conduct thorough research before downloading any apps, especially those related to finance and cryptocurrency, and to consult with a qualified financial adviser for investment decisions.
