In a detailed report released by Kaspersky analysts Sergey Puzan and Dmitry Kalinin, SparkKitty has been found targeting both Android and iOS users via apps available on Google Play and the Apple App Store.
The goal is to gain access to sensitive financial data by harvesting images from a user’s photo gallery.
A SparkKitty Malware Victim
Source: Kaspersky
Once SparkKitty infiltrates a device, it silently begins copying all images stored in the device’s photo gallery. While its main objective appears to be locating screenshots of cryptocurrency wallet seed phrases, analysts warn that other forms of sensitive data may also be compromised.
This method of attack is especially dangerous as many users store wallet seed phrases, passwords, and even identification documents as screenshots, assuming their photo galleries are secure.
Kaspersky identified at least two malicious apps used to distribute SparkKitty. These include:
The SOEX app, in particular, had a substantial reach with over 10,000 installs before its removal. Upon Kaspersky’s report, Google confirmed that the app has been taken down and the developer banned.
SOEX Was Infected With The SparkKitty Malware
Source: Kaspersky
Kaspersky researchers have also found SparkKitty embedded in other seemingly unrelated apps, including adult games, gambling apps, and fake or malicious versions of TikTok.
SparkKitty bears a strong resemblance to another malware strain named ‘SparkCat‘, which was discovered by Kaspersky earlier this year. Like SparkKitty, SparkCat scans through user photos in search of crypto wallet recovery phrases.
Both malware strains are believed to have originated from the same source due to overlapping features and similar file paths observed in the attackers’ infrastructure.
The researchers noted:
“While not technically or conceptually complex, this campaign has been ongoing since at least the beginning of 2024 and poses a significant threat to users.”
Unlike SparkCat, which selectively scanned images, SparkKitty indiscriminately harvests all photos, increasing the chances of capturing sensitive content.
While the campaign is global in scope, the primary focus appears to be on users in Southeast Asia and China. Many of the infected apps include Chinese-language content, gambling-related themes, and social media clones aimed at local demographics.
However, Kaspersky warns that there are no technical barriers preventing SparkKitty from targeting users elsewhere.
How do I know if my phone is infected with SparkKitty?
SparkKitty works silently in the background and may not show obvious signs. If you’ve recently installed any unknown or crypto-themed apps not verified by major publishers, uninstall them and run a mobile security scan immediately.
What can SparkKitty do with my photos?
The malware aims to identify crypto wallet seed phrases in screenshots. However, it can also compromise other personal images that contain financial, legal, or identification information.
Are iOS users at risk too?
Yes. Although Android is more commonly targeted, one of the infected apps, 币coin, was found on the Apple App Store, proving that iOS users are not immune.
How can I protect myself?
Avoid downloading unknown apps, even from official app stores, use antivirus or mobile security tools from reputable providers, never store sensitive information like seed phrases in your gallery, and enable automatic updates and Google Play Protect.
Subscribe to stay informed and receive latest updates on the latest happenings in the crypto world!
Content Strategist
Subscribe to stay informed and receive latest updates on the latest happenings in the crypto world!
