Sophisticated trojan bypasses Apple and Google security to harvest cryptocurrency seed phrases from mobile device photos, marking significant escalation in mobile crypto-targeting attacks.
Cybersecurity researchers at Kaspersky have uncovered a sophisticated new mobile malware campaign dubbed "SparkKitty" that has successfully infiltrated both Apple's App Store and Google Play Store, compromising over 5,000 cryptocurrency users across China and Southeast Asia.
The malware focuses on stealing screenshots of wallet seed phrases stored in mobile phone galleries, representing a significant evolution in crypto-targeting attacks that exploit fundamental mobile security vulnerabilities.
The malware has been active since at least early 2024, according to Kaspersky's latest security report released this week. Unlike traditional malware distribution methods, SparkKitty achieved remarkable success by embedding itself within legitimate-appearing applications across both major mobile platforms, including crypto price tracking tools, gambling applications, and modified versions of popular social media apps like TikTok.
The most concerning aspect of this campaign is its successful circumvention of both Apple's rigorous App Store review process and Google's Play Protect security systems. One compromised messenger application, SOEX, achieved over 10,000 downloads before detection and removal, demonstrating the malware's ability to operate undetected within official app ecosystems for extended periods.
Advanced Data Harvesting Methodology
SparkKitty represents a significant technical advancement over its predecessor, SparkCat, which was first identified in January 2025. Unlike traditional malware that selectively targets sensitive data, SparkKitty indiscriminately steals all images from infected devices, creating comprehensive databases of user photos that are subsequently uploaded to remote servers for analysis.
The malware operates through a sophisticated multi-stage process. Upon installation via deceptive provisioning profiles, SparkKitty requests standard photo gallery access permissions - a request that appears routine to most users. Once granted access, the trojan continuously monitors the device's photo library for changes, creating local databases of captured images before transmitting them to attacker-controlled servers.
Kaspersky researchers emphasize that the attackers' primary objective appears to be identifying and extracting cryptocurrency wallet seed phrases from screenshots stored on infected devices. These 12-24 word recovery phrases provide complete access to users' digital asset holdings, making them extremely valuable targets for cybercriminals.
The emergence of SparkKitty occurs against a backdrop of escalating cryptocurrency-focused cybercrime. According to TRM Labs' 2024 analysis, nearly 70% of the $2.2 billion in stolen cryptocurrency resulted from infrastructure attacks, particularly those involving private key and seed phrase theft. In January 2025 alone, 9,220 victims lost $10.25 million to cryptocurrency phishing scams, highlighting the persistent and evolving nature of crypto-targeting threats.
The malware's current geographic focus on China and Southeast Asia reflects broader trends in cryptocurrency adoption and cybercriminal targeting. However, security experts warn that SparkKitty's technical capabilities and proven effectiveness make global expansion highly probable. The malware's ability to infiltrate official app stores suggests that no mobile ecosystem is immune to sophisticated crypto-targeting attacks.
Technical Evolution and Attribution
Forensic analysis reveals significant connections between SparkKitty and the earlier SparkCat malware campaign. Both trojans share debug symbols, code construction patterns, and several compromised vector applications, suggesting coordinated development by the same threat actors. However, SparkKitty demonstrates notable technical refinements, including enhanced data collection capabilities and improved evasion techniques.
SparkCat specifically targeted cryptocurrency wallet recovery phrases by employing optical character recognition technology to extract these phrases from images, while SparkKitty adopts a broader approach by harvesting all available image data for later processing. This evolution suggests attackers are optimizing their operations for maximum data collection efficiency while reducing on-device processing that might trigger security alerts.
The SparkKitty campaign exposes fundamental vulnerabilities in mobile cryptocurrency security practices. Many users routinely screenshot their seed phrases for convenience, creating digital copies that become prime targets for malware like SparkKitty. This practice, while understandable from a user experience perspective, creates critical security vulnerabilities that sophisticated attackers are increasingly exploiting.
Security researchers emphasize that the threat extends beyond individual users to the broader cryptocurrency ecosystem. Every day, 560,000 new pieces of malware are detected, with mobile platforms becoming increasingly attractive targets as cryptocurrency adoption accelerates globally.
The malware's success in bypassing app store security measures also raises questions about the effectiveness of current mobile security frameworks. Both Apple and Google have implemented sophisticated review processes designed to prevent malicious applications from reaching users, yet SparkKitty's successful infiltration demonstrates that determined attackers can still circumvent these protections.
Industry Response and Defensive Measures
Following Kaspersky's disclosure, both Apple and Google have initiated removal procedures for identified SparkKitty-infected applications. However, the dynamic nature of the threat means that new variants may continue to emerge, requiring ongoing vigilance from both security researchers and app store operators.
Cryptocurrency security experts are recommending immediate defensive measures for mobile wallet users. Primary recommendations include avoiding digital storage of seed phrases entirely, utilizing hardware wallets for significant holdings, and implementing rigorous app permission auditing. Users are advised to review existing photo galleries for any stored wallet credentials and delete such images immediately.
The incident has also prompted renewed discussion about mobile cryptocurrency security standards. Industry leaders are calling for enhanced security requirements for crypto-related mobile applications, including mandatory security audits and stricter permission models for applications handling sensitive financial data.
While SparkKitty currently focuses on Asian markets, cybersecurity experts warn that global expansion appears inevitable. The malware's proven effectiveness and the universal nature of mobile cryptocurrency usage suggest that Western markets may soon face similar threats. By 2025, cybercrime - including malware-driven attacks - could cost the global economy $10.5 trillion annually, with cryptocurrency-targeting malware representing a growing component of this threat landscape.
The sophisticated nature of SparkKitty's app store infiltration capabilities suggests that similar campaigns may already be underway in other regions. Security researchers are calling for enhanced international cooperation in combating mobile cryptocurrency malware, including improved information sharing between app store operators and cybersecurity organizations.
Future Threat Assessment
The SparkKitty campaign represents a significant escalation in mobile cryptocurrency threats, combining sophisticated technical capabilities with proven distribution mechanisms. As cryptocurrency adoption continues expanding globally, similar threats are likely to increase in both frequency and sophistication.
Security experts predict that future iterations of crypto-targeting malware will likely incorporate additional evasion techniques, including enhanced app store bypass methods and more sophisticated data exfiltration capabilities. The success of SparkKitty's photo harvesting approach may inspire additional malware families to adopt similar methodologies, creating an escalating threat environment for mobile cryptocurrency users.
The incident underscores the critical importance of robust mobile security practices for cryptocurrency holders. As digital asset values continue climbing and adoption expands, mobile devices represent increasingly attractive targets for sophisticated cybercriminal organizations.
Users must adapt their security practices accordingly, prioritizing hardware wallet usage and eliminating digital seed phrase storage to protect their cryptocurrency holdings from evolving mobile malware threats.