A newly discovered strain of mobile spyware is targeting cryptocurrency users by stealing screenshots of their wallet seed phrases—some of which are lifted from apps that managed to bypass the security checks of Apple’s App Store and Google Play.
Cybersecurity firm Kaspersky has identified this malware, dubbed SparkKitty, which infiltrates both Android and iOS devices through deceptive apps. SparkKitty is believed to be a variant of SparkCat, a similar malware campaign uncovered earlier in January, and is primarily affecting users in Southeast Asia and China.
SparkKitty hides inside apps that appear legitimate, including modified versions of TikTok, cryptocurrency portfolio trackers, gambling apps, and adult content platforms. These apps trick users into installing special developer profiles, enabling the malware to operate outside the standard app review protections.
Once installed, SparkKitty activates when users open specific app screens, such as support chats, and prompts for access to the device’s photo gallery. If granted, the malware uses optical character recognition (OCR) to scan images for text, specifically looking for screenshots containing seed phrases and other sensitive crypto-related data.
Many of the compromised apps featured crypto-related interfaces and even exclusive crypto-only stores, clearly signaling that harvesting seed phrases was the primary goal. Among the flagged apps were Soex Wallet Tracker and Coin Wallet Pro. Soex, which masqueraded as a real-time portfolio management tool, was downloaded more than 5,000 times from Google Play before it was removed.
Coin Wallet Pro, which promoted itself as a secure multi-chain wallet, briefly appeared on the App Store, gaining attention through aggressive social media advertising and promotions on Telegram before being taken down.
Kaspersky has alerted both Apple and Google, leading to the removal of the malicious apps from their respective stores. According to researchers, the spyware campaign has been active since at least April 2024, with some samples indicating it may have started even earlier.
