A dangerous mobile malware named SparkKitty has been uncovered in apps across both Google Play and the Apple App Store. This new threat targets Android and iOS users by accessing their photo galleries, with the goal of extracting sensitive data like cryptocurrency recovery phrases.
SparkKitty is believed to be an advanced version of SparkCat, a malware previously identified by PC Matic Antivirus in January 2025. That variant used OCR (Optical Character Recognition) to detect seed phrases saved in images—phrases crucial for restoring access to crypto wallets. Many users, despite warnings, still take screenshots of these phrases, making them a prime target for cybercriminals.
Once inside a device, SparkKitty begins extracting every image stored in the gallery. If those photos contain sensitive data—such as seed phrases or personal content—the malware may use them for financial theft or extortion.
How SparkKitty Infiltrates Mobile Devices
SparkKitty infections began as early as February 2025. The malware spread through official app stores and third-party sources. On the Apple App Store, it was hidden in an app called 币coin. On Google Play, it was embedded in a popular app named SOEX, which had over 10,000 downloads before removal.
Kaspersky also detected SparkKitty in fake TikTok clones, gambling platforms, and adult-themed apps shared outside official channels. These altered apps carried the malicious code in frameworks on iOS or Java/Kotlin code on Android.
The malware activates when a user opens the infected app or performs specific in-app actions. Once triggered, it connects to external servers after decrypting its settings with AES-256 encryption. On iOS, it quietly gains photo access and monitors the gallery for changes. On Android, it requests storage permissions and uploads any image files—sometimes only those containing text, using OCR filtering.
How to Stay Safe from Photo-Based Malware
Users should always examine apps for warning signs: unverified developers, fake reviews, suspicious permissions, or high ratings with few downloads. Be cautious of apps that request access to your photos or storage without a clear reason tied to their main function.
For iOS users, avoid installing unknown configuration profiles. On Android, ensure that Google Play Protect is turned on and that you regularly scan your device.
Crypto holders should never store recovery phrases as images on their phones. Write them down and keep them offline in a secure place. Mobile malware like SparkKitty proves these devices are no longer safe for storing sensitive crypto data.
0 responses to “SparkKitty Malware Found in App Stores Steals Crypto from Photos”