A newly discovered piece of mobile malware called SparkKitty has been found lurking in apps on both Google Play and the Apple App Store, stealing images from users’ photo galleries, with a strong focus on cryptocurrency wallet seed phrases.
The malware appears to be an evolved version of SparkCat, previously identified by Kaspersky in January. Like its predecessor, SparkKitty uses optical character recognition (OCR) to identify and extract sensitive recovery phrases from images stored on compromised Android and iOS devices.
While it’s widely advised never to store crypto wallet seed phrases digitally, many users still take screenshots for convenience, making them an attractive target for threat actors.
How SparkKitty Works
Once installed, SparkKitty scans and uploads all images from a device’s gallery. On Android, the malware is typically embedded in Java/Kotlin-based apps and may include Xposed or LSPosed modules to enhance its capabilities. On iOS, it’s hidden within fake frameworks or deployed through enterprise provisioning profiles.
Kaspersky researchers found the malware inside two apps:
- 币coin on the Apple App Store
- SOEX on Google Play — a messaging app with crypto exchange features that had over 10,000 downloads before removal.
The malware initiates once the app is launched. On Android, it requests storage access and scans images using Google ML Kit OCR to selectively upload those containing text. On iOS, it requests photo gallery permissions and begins exfiltrating images automatically, including newly added ones.
SparkKitty’s Distribution
Beyond official stores, SparkKitty is also being distributed through unofficial channels, bundled into TikTok clones, gambling apps, and fake crypto tools. These apps often appear legitimate but are designed to bypass platform security, especially on iOS, where users are tricked into installing custom profiles.
Once activated, the malware decrypts remote configuration files using AES-256 to fetch command-and-control (C2) server instructions and begin the data theft process.
What Users Should Know
Security experts warn that SparkKitty is yet another example of malware bypassing vetting processes in official app marketplaces. Although both Google and Apple have since removed the offending apps, the breach highlights the need for vigilance.
“Android users are automatically protected against this app regardless of download source by Google Play Protect,” Google told BleepingComputer. Apple has not yet commented on the matter.
To stay safe, users are advised to:
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
- Avoid storing seed phrases or sensitive data in photos
- Scrutinize apps before installation, especially if they request photo or storage access
- Check for fake reviews, low download counts, or unfamiliar developers
- Avoid installing iOS configuration profiles from unverified sources
- Enable Google Play Protect and perform regular scans on Android devices
As cryptocurrency adoption grows, so does the interest of cybercriminals in targeting wallets. Storing wallet recovery phrases offline — on paper or a hardware solution — remains the most secure method.
