A newly identified Trojan called “SparkKitty” is infecting smartphones to steal sensitive data, potentially allowing attackers to access and drain victims’ cryptocurrency wallets, according to cybersecurity firm Kaspersky.
The malware is disguised in apps related to crypto trading, gambling, and modified versions of popular apps like TikTok. It installs via deceptive provisioning profiles on iOS and requests access to users’ photo galleries. SparkKitty monitors changes, collects images into a local database, and uploads them to remote servers.
Kaspersky suspects the primary goal is to capture screenshots containing crypto wallet seed phrases, which provide full wallet access. Although the Trojan currently targets users mainly in China and Southeast Asia, Kaspersky warns it could spread to other regions.
Seed phrase theft accounts for a significant portion of crypto thefts. TRM Labs reported in 2024 that nearly 70% of the $2.2 billion stolen last year involved infrastructure attacks targeting private keys and seed phrases.
SparkKitty is linked to the earlier SparkCat spyware campaign, which also accessed photos but used Optical Character Recognition (OCR) to identify seed phrases. Unlike SparkCat, SparkKitty indiscriminately uploads all images for later analysis.
The malware has been found on both Android and iOS platforms, including official app stores, disguised as crypto tools and TikTok modifications.
SparkKitty is part of a broader trend of crypto-targeting malware. For example, the Noodlophile information stealer has been hidden in AI-related tools promoted on social media, exploiting the popularity of artificial intelligence. Additionally, a global law enforcement operation in May targeted infrastructure linked to the LummaC2 malware, which has been involved in over 1.7 million credential theft attempts, including crypto wallets.