26.06.2025 02:53

A newly discovered Trojan, dubbed "SparkKitty," is stealthily infiltrating smartphones and exfiltrating sensitive user data, potentially leading to the complete depletion of cryptocurrency wallets, according to a recent Kaspersky report. This malicious software, cleverly disguised within applications associated with cryptocurrency trading, online gambling, and even altered versions of popular platforms like TikTok, poses a significant threat.

The Trojan's modus operandi involves gaining access to a device's photo gallery through deceptive provisioning profiles—a method used to circumvent app store security measures and install modified or unauthorized applications. Once granted permission, SparkKitty diligently monitors the photo gallery for any changes, meticulously building a local database of stolen images before surreptitiously uploading this data to a remote server controlled by the attackers. Kaspersky researchers strongly suspect that the primary objective is the acquisition of screenshots containing crucial cryptocurrency wallet seed phrases.

Currently, the SparkKitty campaign appears to be concentrated in China and Southeast Asia; however, Kaspersky cautions that its geographic reach is not limited and a global spread is entirely possible. This threat underscores the alarming trend highlighted in TRM Labs' 2024 report, which estimated that approximately 70% of the $2.2 billion in cryptocurrency stolen last year was the result of infrastructure attacks focused on compromising private keys and seed phrases—precisely the information SparkKitty seeks.

The malicious nature of SparkKitty mirrors the characteristics of the SparkCat spyware campaign, initially detected in January 2025. Both campaigns leverage compromised software development kits (SDKs) to access user photos, although SparkKitty's approach differs slightly. While SparkCat employed Optical Character Recognition (OCR) technology to specifically target images containing seed phrases, SparkKitty adopts a more indiscriminate approach, uploading all photos to a server for later analysis. This broadened strategy significantly increases the chances of obtaining the targeted information. The presence of SparkKitty has already been confirmed on both Android and iOS platforms, highlighting the malware's broad compatibility and increased threat level.