Kaspersky Discovers SparkKitty Malware Targeting Crypto Wallets
Cybersecurity firm Kaspersky has issued a critical alert regarding a newly discovered malware called SparkKitty, which is targeting cryptocurrency users by stealing sensitive images—specifically screenshots of crypto wallet recovery phrases—from their mobile phones.
Initially uncovered by Kaspersky researchers Sergey Puzan and Dmitry Kalinin in a report released on June 24, 2025, the malware has been active since early 2024 and appears linked to a previous spyware campaign that deployed a tool known as SparkCat.
Hidden in Popular Crypto Apps
SparkKitty spreads through crypto-themed mobile applications available on both Android and iOS platforms. Among the most notable infected apps were:
- Coin, a crypto price tracking app available on the App Store
- SOEX, a crypto-enabled messaging platform on Google Play with over 10,000 downloads
Though these apps have since been removed by Apple and Google, many users were already exposed. According to Google, Play Protect, which is automatically enabled on Android, can block SparkKitty from functioning—though it may not catch all variants.
How SparkKitty Operates
Once installed, SparkKitty silently scans the user’s photo gallery, harvesting all stored images—including screenshots of crypto seed phrases, personal IDs, private documents, and chat screenshots. These images are then uploaded to remote servers controlled by the attackers.
While the malware primarily seeks crypto-related data, Kaspersky notes that its broad-scope data theft could lead to identity theft and severe privacy violations.
“Even though the attackers are likely after crypto wallet screenshots, there’s a high chance they’re collecting much more personal data,” said Kaspersky.
Global Reach, Minimal Barriers
Although the malware initially targeted users in Southeast Asia and China, it’s capable of spreading globally. Infected apps have been found disguised as Chinese-language gambling apps, adult content platforms, and TikTok clones, often distributed via malicious third-party links and fake app stores.
Some versions of the malware exploit Apple Developer provisioning profiles to install harmful apps outside the App Store, bypassing traditional iOS security measures.
Similarities to SparkCat
Kaspersky points out that SparkKitty shares traits with an earlier spyware variant, SparkCat. While SparkCat focused solely on crypto content, SparkKitty opts for a broader approach, blindly stealing all images, amplifying privacy risks for users.
“This campaign, running since early 2024, isn’t technically advanced but is extremely dangerous due to its mass-scale data theft,” warned Kaspersky.
Kaspersky’s Tips to Stay Safe
To protect against SparkKitty and similar threats, Kaspersky recommends:
- Avoid downloading unofficial or unknown apps
- Never store wallet recovery phrases as images on your phone
- Use reputable antivirus software and keep it updated
- Ensure Play Protect is enabled on Android devices
- Regularly update your operating system
Conclusion
The rise of SparkKitty is a stark reminder of the growing cybersecurity threats facing crypto users, especially on mobile platforms. As the industry expands, so does the risk. One careless screenshot could hand over the keys to your entire digital wallet.
