BTC
$105,258.45
+
2.75%
ETH
$2,412.86
+
5.09%
USDT
$1.0005
–
0.03%
XRP
$2.1819
+
7.43%
BNB
$640.02
+
2.09%
SOL
$144.53
+
5.62%
USDC
$0.9998
–
0.06%
TRX
$0.2733
+
0.49%
DOGE
$0.1630
+
4.79%
ADA
$0.5835
+
5.39%
HYPE
$37.15
+
2.94%
WBT
$48.41
+
1.33%
SUI
$2.7928
+
9.24%
BCH
$463.67
+
1.65%
LINK
$13.13
+
9.16%
LEO
$9.1167
+
0.38%
XLM
$0.2477
+
6.66%
AVAX
$18.09
+
5.58%
TON
$2.9075
+
2.02%
SHIB
$0.0₄1165
+
5.35%
By Shaurya Malwa|Edited by Parikshit Mishra
Updated Jun 24, 2025, 11:59 a.m. Published Jun 24, 2025, 11:46 a.m.
- A new mobile spyware called SparkKitty has infiltrated official app stores, targeting photos of seed phrases and wallet credentials.
- SparkKitty, a successor to SparkCat, uses modified frameworks and libraries to exfiltrate sensitive data from iOS and Android devices.
- Despite removal from app stores, the malware campaign may continue through sideloaded variants and clone stores, posing a global threat.
A new strain of mobile spyware, dubbed SparkKitty, has infiltrated Apple’s App Store and Google Play, posing as crypto-themed and modded apps to stealthily extract images of seed phrases and wallet credentials.
The malware appears to be a successor to SparkCat, a campaign first uncovered in early 2025, which used fake support chat modules to silently access user galleries and exfiltrate sensitive screenshots.
STORY CONTINUES BELOW
SparkKitty takes the same strategy several steps further, Kaspersky researchers said in a Monday post.
Unlike SparkCat, which mostly spreads through unofficial Android packages, SparkKitty has been confirmed inside multiple iOS and Android apps available through official stores, including a messaging app with crypto exchange features (with over 10,000 installs on Google Play) and an iOS app called “币coin,” disguised as a portfolio tracker.
At the core of the iOS variant is a weaponized version of the AFNetworking or Alamofire framework, where attackers embedded a custom class that auto-runs on app launch using Objective-C’s +load selector.
On startup, it checks a hidden configuration value, fetches a command-and-control (C2) address, and scans the user’s gallery and begins uploading images. A C2 address instructs the malware on what to do, such as when to steal data or send files, and receives the stolen information back.
The Android variant utilizes modified Java libraries to achieve the same goal. OCR is applied via Google ML Kit to parse images. If a seed phrase or private key is detected, the file is flagged and sent to the attacker’s servers.
Installation on iOS is done through enterprise provisioning profiles, or a method meant for internal enterprise apps but often exploited for malware.
Victims are tricked into manually trusting a developer certificate linked to “SINOPEC SABIC Tianjin Petrochemical Co. Ltd.,” giving SparkKitty system-level permissions.
Several C2 addresses used AES-256 encrypted configuration files hosted on obfuscated servers.
Once decrypted, they point to payload fetchers and endpoints, such as/api/putImages and /api/getImageStatus, where the app determines whether to upload or delay photo transmissions.
Kaspersky researchers discovered other versions of the malware utilizing a spoofed OpenSSL library (libcrypto.dylib) with obfuscated initialization logic, indicating an evolving toolset and multiple distribution vectors.
While most apps appear to be targeted at users in China and Southeast Asia, nothing about the malware limits its regional scope.
Apple and Google have taken down the apps in question following disclosure, but the campaign has likely been active since early 2024 and may still be ongoing through side loaded variants and clone stores, researchers warned.
Read more: North Korean Hackers Are Targeting Top Crypto Firms With Malware Hidden in Job Applications
Shaurya is the Co-Leader of the CoinDesk tokens and data team in Asia with a focus on crypto derivatives, DeFi, market microstructure, and protocol analysis.
Shaurya holds over $1,000 in BTC, ETH, SOL, AVAX, SUSHI, CRV, NEAR, YFI, YFII, SHIB, DOGE, USDT, USDC, BNB, MANA, MLN, LINK, XMR, ALGO, VET, CAKE, AAVE, COMP, ROOK, TRX, SNX, RUNE, FTM, ZIL, KSM, ENJ, CKB, JOE, GHST, PERP, BTRFLY, OHM, BANANA, ROME, BURGER, SPIRIT, and ORCA.
He provides over $1,000 to liquidity pools on Compound, Curve, SushiSwap, PancakeSwap, BurgerSwap, Orca, AnySwap, SpiritSwap, Rook Protocol, Yearn Finance, Synthetix, Harvest, Redacted Cartel, OlympusDAO, Rome, Trader Joe, and SUN.
