A New Breed of Malware Targets Crypto Users Worldwide
In a disturbing turn for mobile security, cybersecurity experts have identified a new trojan virus called SparkKitty that has infiltrated both Apple’s App Store and Google Play. This malicious software is capable of stealing sensitive user data, with a particular focus on accessing and exfiltrating seed phrases from crypto wallets — the ultimate key to unlocking a user’s digital assets.
How SparkKitty Operates: A Cleverly Disguised Trojan
Unlike typical malware, SparkKitty masks itself within seemingly harmless apps, often related to crypto trading, online gambling, or even modified versions of popular platforms like TikTok. Once downloaded, the app asks for permission to access the phone’s photo gallery — a request users often grant without suspicion.
Once access is granted, the malware silently monitors the device for any image changes, scans screenshots, and compiles a local database of those images. These files are then uploaded to a remote command-and-control server, where attackers can sift through them, looking specifically for screenshots of seed phrases, the backup keys used for crypto wallets.
A Sophisticated Data Heist Strategy
The SparkKitty malware appears to be a variant or evolution of SparkCat, spyware that emerged in early 2025. SparkCat employed optical character recognition (OCR) to identify and extract sensitive text from images, particularly those containing crypto wallet recovery phrases. SparkKitty, however, expands its scope, exfiltrating every image in search of high-value data.
While SparkCat focused solely on surveillance, SparkKitty is aggressively exfiltrating data, likely to support broader criminal activity. With access to seed phrases, cybercriminals can fully take over a user’s wallet and drain its contents without a trace.
Who’s at Risk?
Currently, victims are mostly located in China and Southeast Asia, but cybersecurity analysts warn that the malware could easily spread globally, especially as it hides in seemingly benign or pirated apps. Given the global use of mobile crypto wallets and growing interest in decentralized finance (DeFi), the threat landscape is evolving quickly.
Apple and Google Under Pressure
The discovery of SparkKitty also highlights ongoing security gaps in major app ecosystems. While Apple and Google implement vetting processes, malicious SDKs and disguised apps continue to bypass these safeguards. It emphasizes the need for stricter scrutiny and user education regarding app permissions and unofficial software installations.
Conclusion: Stay Vigilant and Secure Your Crypto
SparkKitty is a stark reminder that even the most secure platforms can be exploited. Crypto users must remain cautious, avoid third-party app stores, and never store screenshots of their seed phrases on their devices. The malware’s ability to target such critical data with stealth should prompt both users and platforms to rethink mobile cybersecurity standards.
For now, experts recommend using encrypted storage, offline backups, and hardware wallets to minimize exposure to such attacks.
