Image by James Yerema, from Unsplash
New Spyware “SparkKitty” Targets Crypto Wallets Through App Store And Google Play
Reading time: 2 min
Last Updated: Jun 24, 2025
-
![Kiara Fabbri]()
-
![Sarah Frazier]()
Fact-Checked by Sarah Frazier Content Manager
Security researchers identified a new spyware named SparkKitty, which steals smartphone photos to access cryptocurrency wallets
In a rush? Here are the quick facts:
- Malware disguises as modified popular apps like TikTok on iOS and Android.
- Uses OCR to find crypto wallet seed phrases in stolen images.
- Active since February 2024, spreading through official and unofficial app stores.
The spyware, first reported by Kaspersky, appears to be connected to a previous malware strain known as SparkCat. It has infected several apps on both the App Store and Google Play, although some have already been removed.
The researchers explain that SparkKitty spread fake applications which mimic well-known platforms, including TikTok. Once installed, the malicious apps request access to the user’s photo gallery.
Some versions steal all images, while others use optical character recognition (OCR) to scan for crypto wallet seed phrases, which are unique codes that give access to digital currencies.
On iPhones, the malware is hidden inside fake software frameworks that mimic legitimate ones such as AFNetworking or Alamofire. On Android devices, the spyware embeds itself as malicious modules inside apps, particularly those related to messaging or cryptocurrency.
Kaspersky explains that the campaign started its operation in February 2024 and has spread through both unauthorized app stores, as well as official distribution channels. The initial detection of the malware occurred through fake TikTok applications, which redirected users to a fake online shop calle “TikToki Mall,” which accepted cryptocurrency payments.
Users who accessed the site from their iPhones were displayed fake App Store pages that deceived them into installing infected applications.Hackers also misused Apple’s Enterprise Developer Program to distribute their malware, bypassing regular App Store security.
After infection, the app checks for activation codes, contacts a remote server for instructions, and uploads stolen photos to hacker-controlled servers.
The researchers report that a fake crypto-enabled messaging application was downloaded more than 10,000 times before security researchers discovered its malicious nature.
Most victims are in Southeast Asia and China, with many infected apps featuring gambling or adult content. However, the spyware could target users worldwide. SparkKitty shares technical features with SparkCat, suggesting a direct connection between the two campaigns.
To stay protected, users should avoid third-party app stores, carefully check app permissions, and keep their devices updated. Even photos unrelated to cryptocurrency may be at risk from this ongoing spyware threat.
Latest articles 
