SparkKitty Unleashed: New Mobile Spyware Steals Crypto Seed Phrases from Your Photos

Your personal photographs are increasingly becoming the target of malicious actors. Smartphones have long since evolved from mere communication tools into vast repositories of intimate data—ranging from vacation plans and cherished family photos to screenshots of bank accounts and cryptocurrency wallets. Kaspersky Lab has uncovered a new threat dubbed SparkKitty, which starkly illustrates how vulnerable this information can be, even for users who consider their devices secure.

SparkKitty is a cross-platform Trojan stealer designed to extract images and other confidential data from smartphones. It is the “younger sibling” of the previously known SparkCat malware, yet poses no less of a threat. Its primary function is the theft of photographs and screenshots from Android and iPhone galleries.

The Trojan propagates through two principal vectors: official app marketplaces and suspicious links on the Internet.

On the App Store, the malware was disguised as a cryptocurrency tracking and signal app under the name 币coin. It remains unclear whether the stealer was embedded as a result of a development oversight or through intentional integration. Nevertheless, this marks the second known instance of such malware infiltrating the App Store despite rigorous moderation—the first being SparkCat, as previously reported by experts.

In Google Play, the situation is more familiar: malicious apps appear with unsettling regularity. This time, the harmful functionality was found within a popular messenger offering cryptocurrency exchange features. The app was downloaded over 10,000 times before its eventual removal.

Beyond official distribution channels, SparkKitty thrives in unregulated terrain. Attackers craft counterfeit websites and links that offer seemingly enhanced versions of popular apps—such as modified TikTok variants for Android. While these mods claim to add new features, they covertly activate malicious code. These sites often redirect to obscure online stores, like “TikToki Mall,” which accept only cryptocurrency and require an exclusive invitation code. The existence of such a marketplace remains unverified and may be part of a broader deception.

When accessed from an iPhone, these same links lead to fake App Store pages offering counterfeit TikTok apps via provisioning profiles—a legitimate Apple mechanism for installing custom apps outside of the App Store. Typically used by developers for testing and internal distribution, this method has been hijacked by attackers to deploy malware.

Once installed, the counterfeit TikTok app on iOS requests access to the photo gallery. Upon receiving permission, it quietly transmits all images and technical device data to a command-and-control server. A similar process has been documented in Android versions.

Current data indicates the main wave of SparkKitty attacks has targeted users in China and Southeast Asia. However, this does not preclude its spread to other regions. The malware has been actively deployed since early 2024, and there is little to prevent cybercriminals from adapting their campaigns to other countries, including Russia.

Extra vigilance is advised not only with suspicious TikTok versions but also with other high-risk apps, such as gambling platforms, cryptocurrency tools, and adult content services. SparkKitty is designed to strike where users least expect it.

It is crucial to recognize that the attackers’ objective is not merely vacation photos. Among the stolen images may be screenshots of sensitive information—such as seed phrases for cryptocurrency wallet recovery. A single image of this kind could grant criminals unfettered access to the victim’s entire digital fortune.

To mitigate the risk, users are advised to store sensitive images in secure, encrypted vaults. Password managers offer a reliable solution. Additionally, scanning your device for infected apps is essential. Android users can benefit from antivirus software, while iPhone owners—despite the closed architecture of iOS—should install robust security apps capable of blocking data exfiltration and flagging suspicious behavior.

Cyberthreats like SparkKitty make it increasingly clear that traditional safety recommendations are no longer sufficient. Even official app stores cannot guarantee complete protection. It is imperative for users to rethink how they store sensitive information on mobile devices and exercise greater discernment when selecting applications.