Cybersecurity firm Kaspersky has issued a warning about a newly uncovered malware called SparkKitty, designed to steal images from infected devices in search of cryptocurrency seed phrases.
In a report published Monday, Kaspersky analysts Sergey Puzan and Dmitry Kalinin revealed that SparkKitty is targeting both iOS and Android platforms by embedding itself within certain apps available on the Apple App Store and Google Play.
After infecting a device, the malware proceeds to indiscriminately extract all images from the user’s photo gallery.
“Although we suspect the attackers’ main goal is to find screenshots of crypto wallet seed phrases, other sensitive data could also be present in the stolen images.”
Malicious Apps Disguised as Crypto Tools or Services
Kaspersky identified two apps used to spread the malware, both with a crypto focus. The first, called 币coin, posed as a cryptocurrency information tracker and was available on the App Store.
The second, named SOEX, was a messaging app on Google Play that claimed to offer “crypto exchange features.”
“This app was uploaded to Google Play and had over 10,000 installs. At the time of our investigation, it was still available on the platform. We reported it to Google, and they have since removed it,” Puzan and Kalinin noted.
The researchers also found SparkKitty being distributed through casino apps, adult-themed games, and fake TikTok clones.
SparkCat’s Younger Sibling Emerges
The newly discovered malware closely resembles SparkCat, which Kaspersky uncovered in January. Like its predecessor, it scans users’ photos in search of cryptocurrency wallet recovery phrases.
According to Puzan and Kalinin, both malware variants likely originate from the same source, as they share overlapping features and use similar file paths linked to the attackers’ infrastructure.
“Although the campaign isn’t particularly advanced in terms of technology or design, it has been active since at least early 2024 and presents a serious risk to users,” the analysts warned.
“Unlike the previously discovered SparkCat spyware, this malware isn’t picky about which photos it steals from the gallery.”
Primary Targets: Southeast Asia and China
Kaspersky’s analysis shows that the malware campaign primarily targets users in Southeast Asia and China, as many of the infected apps include Chinese-language gambling games, fake TikTok apps, and adult-themed games.
“Based on the distribution sources, this spyware is mainly aimed at users in Southeast Asia and China,” noted Puzan and Kalinin.
However, they added that “there are no technical barriers preventing it from spreading to users in other parts of the world.”
