Cybersecurity giant Kaspersky has uncovered a sophisticated new threat targeting users worldwide, as the SparkKitty malware infiltrates iOS and Android devices to steal photos containing crypto wallet seed phrases and sensitive financial information.
This insidious trojan operates by extracting all media files from infected smartphones, specifically hunting for screenshots of cryptocurrency recovery phrases that users commonly save for backup purposes. The malware represents an evolution of the previously discovered SparkCat trojan, employing similar optical character recognition technology to scan image galleries and identify valuable crypto credentials that could provide access to digital wallets worth thousands or millions of dollars.
The attack vectors for SparkKitty demonstrate remarkable sophistication, with cybercriminals embedding the malware within seemingly legitimate applications available on both the Apple App Store and Google Play Store.
The malware’s distribution strategy extends beyond official app stores, with researchers discovering infected versions of popular applications including TikTok clones, casino games, and adult-themed apps distributed through phishing websites designed to mimic legitimate app stores.
Targeted Malware Strategy
The SparkKitty campaign appears to concentrate its efforts on users in Southeast Asia, China, and the Philippines, suggesting a coordinated operation targeting regions with high cryptocurrency adoption rates.
Kaspersky analysts Sergey Puzan and Dmitry Kalinin noted that while the malware exhibits no strict geographic boundaries, these regions experience disproportionately higher infection rates. This targeting strategy aligns with broader cryptocurrency crime trends, as cybercriminals increasingly focus on markets where digital asset usage has become mainstream but security awareness may lag behind adoption rates.
The connection to the earlier SparkCat malware campaign indicates this represents part of a sustained effort by cybercriminal organizations to exploit the growing trend of cryptocurrency storage on mobile devices.
Both malware families share similar technical characteristics and operational methodologies, suggesting the same threat actors may be responsible for this expanded campaign. The evolution from SparkCat to SparkKitty demonstrates how cybercriminals adapt their tactics to overcome security improvements while maintaining their core objective of cryptocurrency theft.
Industry Response
The timing of the SparkKitty campaign appears strategically aligned with the recent surge in cryptocurrency values, as Bitcoin trades above $108,000 and many altcoins have experienced substantial gains throughout 2025. This correlation suggests cybercriminals are intensifying their efforts to exploit the growing wealth stored in digital wallets during periods of market euphoria.
As cryptocurrency portfolios reach new all-time highs, the potential payoff from successfully compromising user seed phrases has increased dramatically, making sophisticated malware campaigns like SparkKitty more attractive to threat actors.
Following Kaspersky’s discovery, both Google and Apple have taken swift action to remove identified malicious applications from their respective app stores.
Google’s spokesperson confirmed that Android users receive automatic protection through Google Play Protect, which operates by default on devices with Google Play Services. However, the incident highlights the ongoing challenges faced by app store security systems in detecting sophisticated malware that mimics legitimate applications.
