Key Notes
- SparkKitty malware steals photos from iOS and Android devices to find crypto seed phrases.
- The malware spreads through apps like SOEX, which focus on digital assets.
- Users are urged to avoid unknown apps, APK sideloading, and use antivirus tools for protection.
A new malware known as SparkKitty is actively targeting users, and Kaspersky suspects it may be linked to SparkCat, a well-known malicious program.
Blockchain security firm SlowMist has confirmed SparkKitty’s activity, reporting that it extracts all photos from infected iOS and Android devices.
Sparkkitty Searches for Crypto Seed Phrases in Screenshots
According to SlowMist and Kaspersky, SparkKitty steals media files to scavenge for crypto wallet seed phrases. In a report , Sergey Puzan and Dmitry Kalinin, analysts from Kaspersky, noted that the targets for the malware are infected iOS and Android devices. It spreads on these devices by hiding within certain apps available on the Apple App Store and Google Play Store.
🚨 SparkKitty: Cute name, BIG threat
The new “little brother” of SparkCat malware hides in fake apps on Google Play & App Store—stealing all your photos, including sensitive screenshots.
Protect yourself:
🔒 Use encrypted storage
📱 Scan with #KasperskyPremium
Details:… pic.twitter.com/p3PeRGZnp7— Kaspersky (@kaspersky) June 23, 2025
More specifically, Puzan and Kalinin believe that screenshots of crypto wallet seed phrases and other sensitive data are SparkKitty’s main media files of interest. SparkCat employed the same tactics, which Kaspersky identified in an investigation in January.
The malware appears to have no regional boundaries, though users in Southeast Asia and China seem to be the most frequently targeted.
币coin, a supposed crypto information tracker on the App Store, and SOEX are two apps identified to deliver the SparkKitty malware.
SOEX is a messaging app with “crypto exchange features” on Google Play. What they both have in common is the fact that they focus on digital assets.
SparkKitty was discovered to have been delivered through casino apps, adult-themed games, and malicious TikTok clones.
Kaspersky analysts revealed that the SOEX app had been uploaded to Google Play and downloaded more than 10,000 times. After being notified, Google removed the app from the store and blacklisted its developer.
According to a Google spokesperson, “Android users are automatically protected against this app regardless of download source by Google Play Protect, which is on by default on Android devices with Google Play Services.”
In the past, Google has taken similar actions against suspicious apps. For example, two years ago, the Chinese e-commerce app Pinduoduo was suspended after malware was found in unauthorized versions of the software.
Malware Attacks Remain a Concern
Malware attacks are increasingly common, especially targeting smart devices. While the overall volume remains contained compared to last year, these attacks continue to pose a significant threat to the crypto market.
In January 2025 alone, ScamSniffer revealed that 9,220 victims lost $10.25 million to cryptocurrency phishing scams.
This marked a sharp decline of 56% from December 2024, when losses reached $23.58 million. The $1 million stolen through Uniswap’s Permit2 feature was earmarked as one of the biggest losses, followed by a $549,000 loss in a direct transfer by an individual.
Also, $471,000 was stolen through transaction simulation spoofing, a method where fake transactions are made to look real to deceive users.
SlowMist has urged crypto users to remain vigilant, avoid installing unknown apps, and avoid APK sideloading. In addition, these users may need to use antivirus tools.
nextDisclaimer: Coinspeaker is committed to providing unbiased and transparent reporting. This article aims to deliver accurate and timely information but should not be taken as financial or investment advice. Since market conditions can change rapidly, we encourage you to verify information on your own and consult with a professional before making any decisions based on this content.
