Cybersecurity firm Kaspersky has identified a new strain of mobile spyware named SparkKitty that targets crypto users by stealing screenshots containing wallet seed phrases from their phone photo galleries. This malware infects both Android and iOS devices, with several infected apps having bypassed official defenses on Google Play and Apple App Store before being removed.
SparkKitty primarily targets users in Southeast Asia and China through malicious apps disguised as legitimate software, including crypto trackers, TikTok mods, gambling games, and adult content applications. The malware prompts users to grant access to photo galleries, then silently scans images using optical character recognition (OCR) technology to extract sensitive text such as seed phrases.
Notable apps involved include Soex Wallet Tracker and Coin Wallet Pro, which appeared on Google Play and the App Store respectively before their removal following Kaspersky's reports. SparkKitty is related to a previous malware campaign called SparkCat identified earlier in 2024, sharing similar technical methods and origins.
Kaspersky has notified Apple and Google, who have since taken down affected apps and banned developers linked to the malware. Despite targeting Southeast Asia and China primarily, SparkKitty’s techniques can be used against users globally if protection lapses. This ongoing campaign poses significant risks to crypto holders by targeting one of the most critical components of wallet security—the seed phrase.