
SparkKitty is a new Trojan malware variant that steals all images from infected smartphones.
This malware infiltrates devices through official app stores (Google Play, Apple App Store) and third-party sites.
SparkKitty is an upgraded version of SparkCat that uploads all gallery images to a remote server.
Attackers can gain access to personal IDs, bank statements, and private messages in addition to crypto wallet details.
A new cybersecurity threat is making headlines, and draining crypto wallets in the process. Introducing SparkKitty, the new flavor of Trojan malware that has now been found targeting smartphone users across the world, especially in Southeast Asia and China.
This malware cleverly disguises itself in crypto apps, gambling games and even TikTok mods.
Here’s how much damage SparkKitty has done and what could be at risk.
According to reports from cybersecurity firm Kaspersky, SparkKitty is designed to harvest images from smartphones.
It does this by taking screenshots containing crypto wallet seed phrases. It infiltrates devices through apps available on legitimate platforms like the Google Play Store and Apple App Store, as well as third-party sites.
The SparkKitty malware variant | Source: Twitter
According to Kaspersky, the malware is believed to be an upgrade to another similar malware called SparkCat, which was discovered earlier in 2025.
However, the only difference is that while SparkCat uses Optical Character Recognition (OCR) to identify wallet recovery phrases within images, SparkKitty takes a less refined but more dangerous approach to this.
It simply uploads all images from a victim’s gallery to a remote server for later analysis.
SparkKitty gets embedded in apps disguised as legitimate tools, and Kaspersky researchers found it lurking in apps like 币coin and SOEX, which are legitimate crypto apps available on Apple’s App Store.
Once installed, these apps use “provisioning profiles,” which is a method typically used for testing iOS apps outside of the App Store, to gain photo access.
From there, SparkKitty goes to work monitoring changes in the photo gallery, building a local database of new images, and then uploading those images to a remote server controlled by attackers.
Researchers suspect that the main goal is to find screenshots of seed phrases, which allow complete access to a user’s crypto wallet.
However, with full gallery access, attackers could also steal personal IDs, bank statements and private messages.
As mentioned earlier, SparkKitty appears to be a successor to SparkCat, which is another spyware campaign uncovered by Kaspersky in January.
Similarly to SparkKitty, SparkCat also targeted images with built-in OCR to locate recovery phrases and private keys within screenshots.
SparkCat, the parent malware | Source: Twitter
Both strains of this malware share a similar code structure including structures, file paths and attack strategies.
Because of this, it is safe to assume that they were both developed by the same group.
However, what makes SparkKitty more dangerous is its indiscriminate image theft.
Rather than filtering photos, it uploads all of them, which leaves users open to not only crypto theft but also extortion and privacy invasion.
SparkKitty is just the latest among several other malware variants designed to steal crypto from holders.
Some notable ones include Noodlophile, which is an information stealer that hides itself in AI tools.
More include LummaC2, which targets login credentials and is linked to over 1.7 million theft attempts.
Finally, the PylangGhost is a RAT (remote access trojan) used in fake job interviews to hack crypto professionals.
Interestingly, this variant is linked to North Korean hacking group, Famous Chollima.
In many of these cases, the malware doesn’t just go after seed phrases. It attacks entire devices and gives attackers full access to apps, messages, and email accounts.
SparkKitty serves as a reminder of just how dangerous the crypto space can be.
What looks like a harmless app could be a backdoor that allows hackers to steal not just your photos, but your entire financial identity.
As crypto adoption continues to grow, so do the attack vectors.
The best defence in this case is awareness and good security hygiene. Never underestimate the risks, especially when it comes to storing sensitive information on devices connected to the internet.
Disclaimer: Voice of Crypto aims to deliver accurate and up-to-date information, but it will not be responsible for any missing facts or inaccurate information. Cryptocurrencies are highly volatile financial assets, so research and make your own financial decisions.