24.06.2025 09:03

Kaspersky has identified a novel mobile spyware variant actively targeting cryptocurrency users. This malicious software operates by surreptitiously capturing screenshots of users' wallet seed phrases, directly from their phone's image gallery. The sophisticated nature of this attack is highlighted by the malware's successful infiltration of both the Google Play and Apple App Stores.

This newly discovered threat, dubbed SparkKitty, has clear links to a previous malware campaign known as SparkCat, uncovered earlier this year. Similar to its predecessor, SparkKitty prioritizes the theft of sensitive photographic data, but its reach extends across both Android and iOS platforms. Its geographical focus appears to be Southeast Asia and China.

Disguised within seemingly innocuous applications, including modified versions of popular apps like TikTok, crypto trackers, gambling applications, and adult content apps, SparkKitty employs a deceptive tactic. Users are tricked into installing a special developer profile, circumventing standard security protocols, granting the malware extensive permissions. Upon gaining access, the malware intelligently waits for specific actions, such as opening support chat screens, before requesting photo gallery access.

Once granted access, the malware silently utilizes optical character recognition (OCR) to analyze images for seed phrases, quietly extracting this vital cryptographic information. The prevalence of cryptocurrency-themed applications amongst those identified as malicious strongly suggests that seed phrase theft is the primary objective. This is evidenced by apps such as Soex Wallet Tracker and Coin Wallet Pro. Soex, falsely advertised as a real-time portfolio manager, accumulated over 5,000 downloads on Google Play before its removal. Coin Wallet Pro, deceptively marketed as a secure multi-chain wallet, briefly appeared on the App Store, leveraging social media and Telegram channels for promotion before its removal.

Kaspersky has alerted both Apple and Google to this significant security threat, prompting the removal of the compromised applications from their respective app stores. This incident underscores the growing need for heightened vigilance amongst cryptocurrency users and developers alike, emphasizing the importance of verifying the authenticity of downloaded applications from reputable sources.