Coin WorldWednesday, Jun 25, 2025 1:36 am ET

1min read

A newly discovered Trojan, named "SparkKitty," is infecting smartphones and stealing sensitive data, potentially allowing attackers to drain victims' cryptocurrency wallets, according to a report by cybersecurity firm Kaspersky. The malware is embedded in apps related to crypto trading, gambling, and even modified versions of TikTok. Once installed via deceptive provisioning profiles, SparkKitty requests access to the photo gallery, monitors for changes, creates a local database of stolen images, and uploads photos to a remote server. Kaspersky suspects that the attackers' main goal is to find screenshots of crypto wallet seed phrases, which are highly valuable as they allow full access to a user's crypto wallet.

Currently, the malware primarily targets victims in China and Southeast Asia. However, the firm warned that there was nothing to stop it from spreading to other regions. SparkKitty is believed to be linked to the SparkCat spyware campaign first uncovered in January 2025, which similarly used malicious SDKs to gain access to photos on user devices. While SparkCat focused its spyware on images with seed phrases using Optical Character Recognition (OCR) technology, SparkKitty indiscriminately uploads photos, presumably to be processed later. Its presence has been confirmed in both Android and iOS apps on their respective app stores, including disguised as crypto-themed tools and TikTok mods.

SparkKitty joins a host of other crypto-targeting malware and trojans that have gained popularity among hackers over the last few years. Among them, the information stealer Noodlophile has been found embedded in AI tools available for download online, taking advantage of current interest around the technology. Hackers build convincing-looking AI sites and then advertise them via social media to attract unsuspecting victims. An international law enforcement effort in May targeted key infrastructure related to the distribution of another strain of malware, LummaC2, which has been linked to over 1.7 million theft attempts. LummaC2 aimed to steal information related to login credentials, including for crypto wallets.

In its 2024 report, TRM Labs estimated that nearly 70% of the $2.2 billion in stolen crypto last year resulted from infrastructure attacks, particularly those involving the theft of private keys and seed phrases. Malware like SparkKitty enables such thefts as attackers can use data from infected devices to search for wallet credentials. Seed phrases are highly valuable because they allow full access to a user's crypto wallet. The discovery of SparkKitty highlights the ongoing threat of malware targeting cryptocurrency users and the need for enhanced security measures to protect sensitive data.