.png){kind=logo}
Cybersecurity firm Kaspersky has revealed that a new Trojan called SparkKitty is targeting cryptocurrency users by stealing sensitive image data from mobile devices. The malware spreads through modified TikTok apps, crypto trading tools, and gambling platforms—many of which are accessible on both the Google Play Store and Apple App Store.
SparkKitty mainly targets consumers in Southeast Asia and China. Nevertheless, cybersecurity analysts caution that its methods may be copied and used in other parts of the world. The malware's key function is to extract images from infected smartphones, most likely to locate screenshots of crypto wallet seed phrases. These phrases give full access to users’ crypto holdings.
Kaspersky researchers stated that SparkKitty embeds itself in apps downloaded from app stores or third-party sources. It bypasses device security using deceptive provisioning profiles, which are typically used for testing or sideloading apps outside of official channels. Once installed, the Trojan requests access to the user’s photo gallery and begins scanning and uploading images to a remote server.
The likely target is images containing seed phrases, used to restore access to crypto wallets. Cybercriminals can use these phrases to take full control of a victim’s wallet without needing passwords or multi-factor authentication.
The Surface of SparkKitty acts similarly to the previous SparkCat spyware scheme, initially detected in January 2025. Whereas SparkCat performed an optical character recognition (OCR) analysis on images locally, SparkKitty uploads all images unselectively, probably after off-site processing. According to Kaspersky's findings, the two may be linked, though SparkKitty is a more refined and stealthy variant.
TRM Labs previously reported that infrastructure attacks—like malware-based theft of private keys and seed phrases—accounted for nearly 70% of the $2.2 billion in stolen cryptocurrency in 2024. Tools like SparkKitty increase the threat level for mobile crypto users, especially those relying on screenshots to store their seed phrases.
Also Read: Crypto Investor Loses $6.9M in Douyin Cold Wallet Scam: Are Discounted Devices Safe?
SparkKitty is not the first malware threat to target crypto investors. Another strain, Noodlophile, was recently discovered and implanted in AI programs sold online. Malicious users develop persuasive AI applications or programs and market them on social networks for download. Once installed, these apps steal login credentials and crypto wallet addresses.
A previous attack, LummaC2, was associated with more than 1.7 million attempted thefts and is the reason an international crackdown was launched in May. Similar to SparkKitty, LummaC2 worked against login credentials distributed on platforms, such as crypto exchanges and wallet providers.
Cisco Talos also reported that a North Korean hacker group called Famous Chollima is using job scams to infect devices with PylangGhost, another remote access Trojan. These scams mimic legitimate hiring processes to gain access to crypto professionals’ systems.
The increased occurrence of such advanced malware campaigns has highlighted the increased threats to the digital asset industry. Cybersecurity has continued to raise vital concerns among crypto users and platforms globally due to increased mobile application adoption and the use of AI tools as popular entry points.
