SparkKitty appears to be a retooled version of SparkCat, an earlier spyware strain first seen in 2023, although this new wave is more sophisticated and widespread, with malicious code embedded in apps like “币coin” on iOS and “SOEX” on Android. The apps posed as crypto exchanges, trading tools, or even altered versions of popular platforms like TikTok, but once  installed and granted access to a device’s camera roll, they quietly uploaded user photos to remote servers, where attackers used OCR (optical character recognition) to scan for valuable information.

Malware analyst Sergey Puzan explained that in some cases, attackers even directed iPhone users to install custom provisioning profiles through fake websites, bypassing Apple’s normal defenses.

Kaspersky says it notified both Apple and Google as soon as SparkKitty was identified, leading to the infected apps being removed, but it warns that similar ones continue to circulate via third-party APK sites and shady web links. One of the Android apps, SOEX, had more than 10,000 downloads before Google pulled it, while the “币coin” app on iOS passed itself off as a legitimate crypto tracker but was working behind the scenes to collect data. “We suspect the attackers are looking for screenshots of seed phrases,” Kaspersky said, “but it’s likely other sensitive details are being harvested as well.” 

To stay safe, Kaspersky recommends avoiding screenshot storage of sensitive crypto info, reviewing app permissions, and using security tools that can detect when apps attempt to transmit personal data