SparkKitty Malware Targets Crypto Users Through Apple and Google App Store Loopholes

Highlights:

• The SparkKitty crypto malware uses apps in the Google Play and App Store.
• It applies OCR to scan through image galleries to decode seed phrases.
• Over 5,000 users installed infected crypto-themed apps.

A new crypto-malware version called SparkKitty exploits mobile users by using malicious apps installed in the official app stores. According to cybersecurity specialists Kaspersky, they have been monitoring this spyware since the beginning of 2024, and cases have been linked with apps posing as crypto tools. The malware aims to gather wallet seed phrase screenshots in user photo libraries.

SparkKitty, which is highly similar to a former version called SparkCat, resorts to visual data scanning to identify sensitive recovery phrases. The malware was found in the applications that pretended to be crypto trackers or gambling devices or modified social media platforms. After the users installed such apps, the malware asked to access the photo gallery and scanned the stored photographs silently.

SlowMist TI Alert

A new malware named #SparkKitty that steals all photos from infected iOS & Android devices — searching for crypto wallet seed phrases.

Delivered via:
"币coin" (App Store)
"SOEX" (Google Play, 10K+ installs, now removed)
Casino apps, adult… pic.twitter.com/47WDc8l6tQ

— SlowMist (@SlowMist_Team) June 24, 2025

Malware Slips Into Official App Stores

A number of malicious SparkKitty-infected applications passed through the review systems of Google Play and the Apple App Store. In addition, apps such as Soex Wallet Tracker and Coin Wallet Pro received thousands of downloads until they were removed. These applications looked authentic, advertising the ability to track portfolios in real-time or have multi-chain wallet capabilities.

Certain apps encouraged the installation of developer profiles that bypassed the normal security sandbox. The additional step gave the malware wider access to the system. After permissions were allowed, SparkKitty checked the screenshots according to seed phrase patterns. The malware was able to read the images in the form of text with the use of optical character recognition (OCR).

Once valid seed phrases were found, the malware sent them to other servers. These phrases help access and empty crypto wallets completely. The target users of the campaign were based in Southeast Asia as well as China, though it was easy to multiply in other regions. There were no regional limitations within the code used by the malware.

Crypto Malware Targets User Behavior

SparkKitty does not target wallets directly; it uses a popular habit instead. Most users keep the seed phrases in the form of screenshots, which they usually do not realize is dangerous. Though it is convenient, there is a weakness created by this method. Thus, this behavior was used by SparkKitty to scan thousands of photos to obtain sensitive information.

According to Kaspersky analysts, some of the infected apps were TikTok clones, gambling games, and crypto tools. Additionally, this made the malware attractive to users who are present in crypto or social media realms. The promotion of certain apps was placed either via Telegram or social ads, contributing to their reach.

After being installed, SparkKitty waited until certain user actions, such as opening chats or settings, before it requested gallery access. When it was obtained, it scanned galleries in the background. The malware operated silently, and the user could not know about its operations. Furthermore, it processed only the contents of images that were familiar with wallet recovery formats.

App Stores Under Fire After Malware Bypass

After detecting it, Kaspersky notified Apple and Google, who removed the infected apps. The campaign, however, put to question the app store defenses. Allowing the installation of external profiles helped attackers bypass sandbox restrictions designed to limit access.

Prior to their removal, the infected apps are reported to have been downloaded by more than 10,000 users. The security teams are currently keeping an eye on such behaviour in more recent crypto-themed applications. In addition, Kaspersky continues to track SparkKitty’s malware infrastructure and has shared threat data with cyber authorities.