Beware of SparkKitty: New Spyware Poses Threat to Your Wallet Details

Key Points:

A newly identified mobile spyware, SparkKitty, is creeping into official app stores and specifically targeting users’ photos of seed phrases and wallet information.
This malware, which is an upgrade from the previous SparkCat, employs altered frameworks and libraries to stealthily extract sensitive user data from both iOS and Android devices.
Although the malware has been removed from major app stores, variants of it may persist via sideloaded installations and cloned apps, representing a significant global threat.

Article Content:

A fresh type of mobile spyware known as SparkKitty has breached both the Apple App Store and Google Play, masquerading as crypto-related and modified applications to covertly collect images of users’ seed phrases and wallet credentials. This malware is believed to be a successor to SparkCat, a campaign first detected in early 2025, which utilized counterfeit support chat systems to discreetly access user photo galleries and extract confidential screenshots.

Kaspersky researchers disclosed that SparkKitty escalates the techniques employed by its predecessor, confirming its presence in various official applications, including a messaging app with cryptocurrency exchange functionalities (over 10,000 installs), and another iOS app named 币coin, disguised as a portfolio tracker.

At the heart of the iOS version is an adapted iteration of the AFNetworking or Alamofire framework, with an embedded custom class that auto-executes upon app launch using Objective-C’s +load method. Upon starting, it checks a concealed configuration value, retrieves a command-and-control (C2) address, and begins scanning the user’s image gallery to upload photos. These addresses control the malware’s actions, dictating when to data dump or send files, and allow for the retrieval of stolen information.

The Android counterpart employs modified Java libraries to reach the same objective, utilizing Optical Character Recognition (OCR) through Google ML Kit to analyze images. If it detects a seed phrase or private key, it marks the file and forwards it to the attacker’s servers.

Installation on iOS takes place via enterprise provisioning profiles, intended for internal business applications but often co-opted for malicious purposes. Victims are deceived into granting system-level permissions linked to SINOPEC SABIC Tianjin Petrochemical Co. Ltd. with developer certificates.

Kaspersky’s investigation uncovered multiple other variants of the malware employing spoofed OpenSSL libraries with obscured initialization workflows, reflecting a continually evolving toolset and various methods of distribution. Despite most apps seemingly targeting users in China and Southeast Asia, the malware does not appear to have geographical limitations.

Apple and Google have taken measures to remove the implicated apps since their public exposure, but this threat may still be operational, potentially spreading through cloned app stores and sideloading practices.