Cybersecurity firm Kaspersky has discovered a new strain of spyware dubbed SparkKitty, which has been active since at least early 2024. The malware appears to be a variant, or potentially an evolution, of a previously identified spyware called SparkCat, according to a detailed report released by the company on Monday.
The primary function of SparkKitty is to steal photos from infected devices, with a specific focus on finding screenshots of cryptocurrency wallet seed phrases, which are critical for accessing and recovering crypto funds.
Kaspersky researchers Sergey Puzan and Dmitry Kalinin explained that SparkKitty targets both iOS and Android platforms and spreads through malicious apps distributed on the Apple App Store and Google Play.
Once installed, the malware automatically pulls all images from the user’s photo gallery, regardless of content. While crypto seed phrases are the assumed priority, analysts have warned that the malware could just as easily harvest other sensitive or personal images.
“Although its goal appears to be cryptocurrency recovery phrases, this spyware steals all photos indiscriminately,” said Puzan and Kalinin.
Kaspersky linked the malware to two specific applications:
“Coin”, a fake crypto price tracker which was previously listed on the App Store.
Secondly, “SOEX”, a chat app with embedded cryptocurrency trading features, available on Google Play and downloaded over 10,000 times before its removal.
The analysts noted that they had alerted Google, leading to the removal of SOEX from the Play Store. Google later confirmed that the developer account responsible was banned.
Based on the nature of the infected apps, many of which are Chinese-language gambling platforms, TikTok clones, and adult-themed games, Kaspersky believes the campaign is majorly targeting users in Southeast Asia and China.
But, the researchers emphasized that there’s nothing in SparkKitty’s architecture that limits it to specific regions, making it a global threat.
“It’s clear the current focus is Southeast Asia and China, but the malware is fully capable of spreading to other parts of the world,” they added.
Kaspersky believes SparkKitty is probably connected to SparkCat, a similar spyware first analyzed by the firm in January. Both malware types share code structure, operational methods, and even identical file path patterns, suggesting they originate from the same developer or group.
“SparkKitty is less selective than SparkCat—it grabs everything in your gallery,” Puzan and Kalinin noted. “It’s not highly sophisticated, but it’s persistent and dangerous.”
Despite its relatively simple design, SparkKitty’s broad data collection strategy and integration with real-looking apps make it a huge threat, especially to users managing cryptocurrency portfolios on mobile devices.
Also Read: Malware Targets Crypto Users via Cracked TradingView
