A new mobile Trojan targeting both Android and iOS devices, SparkKitty, has been found on Android and iOS devices. With a primary focus on stealing cryptocurrency assets by exfiltrating sensitive images and device information from infected smartphones, it bypassed normal security protection and found its way onto Google Play and the Apple App Store.
Key Characteristics of SparkKitty
Both iOS and Android are targeted by this malware. It is hosted on official app stores (Apple App Store and Google Play), as well as third-party and scam websites. Crypto-related apps, gambling apps, and trojanized versions of popular apps like TikTok are the harbingers.
How SparkKitty Works
SparkKitty indiscriminately uploads all images from an infected device’s photo gallery to attacker-controlled servers. It also sends detailed device information to the attackers. The primary goal is to steal cryptocurrency wallet recovery phrases (seed phrases), which are often stored as screenshots or photos for convenience. These phrases can be used to restore and drain crypto wallets.
SparkKitty, like its predecessor SparkCat, leverages optical character recognition (OCR) to scan images for sensitive text, such as wallet recovery phrases, passwords, and potentially other confidential information. While the main focus is crypto theft, any sensitive content in the photo gallery—such as personal images or documents—could be used for extortion or other malicious purposes.
Infection and Spread
On iOS, SparkKitty was found in an app named 币coin, which posed as a cryptocurrency tracker. On Android, it was embedded in SOEX, a messaging app with crypto-exchange features, and in various modded TikTok clones, gambling, and adult-themed apps.
Technical Details
• On iOS, SparkKitty is embedded as fake frameworks and may use enterprise provisioning profiles to bypass App Store restrictions.
• On Android, it is hidden within Java/Kotlin apps and sometimes uses malicious modules like Xposed/LSPosed.
• The malware uses obfuscation and encrypted configuration files to evade detection and control its operations.
• Scale: The campaign has been active since at least February 2024, with Kaspersky reporting over 242,000 downloads of infected apps from Google Play alone.
Relation to SparkCat
SparkKitty appears to be an evolution of the earlier SparkCat malware, which was the first known OCR-based stealer to infiltrate the Apple App Store. SparkCat also targeted crypto wallet recovery phrases via image scanning and was distributed through both legitimate-looking and fake apps.
Geographic Focus
SparkKitty’s main targets seem to be residents of Southeast Asia and China, but evidence suggests a broader reach across Europe, Asia, Africa, and the Middle East. The malware adapts its OCR models based on device language settings to maximize its effectiveness across different regions.
Mitigation and Response
All identified malicious apps have been removed from the official app stores, and Apple and Google have been notified. Users are advised not to store sensitive information, such as crypto wallet recovery phrases, as images or screenshots on their devices. Use password managers and regularly audit app permissions.
Comparing SparkKitty to SparkCat
| Feature | SparkKitty | SparkCat |
|---|---|---|
| Platforms | iOS, Android | iOS, Android |
| Main Function | Steals all images, device info | Scans images for crypto wallet data |
| OCR Technology | Yes | Yes |
| Distribution | Official app stores, 3rd party | Official app stores, 3rd party |
| Notable Infected Apps | 币coin, SOEX, modded TikTok | ComeCome, WeTink, AnyGPT |
| Primary Targets | Crypto wallet seed phrases, other sensitive images | Crypto wallet seed phrases |
| Discovery Date | June 2025 | Early 2024 |
