Cybersecurity specialists at Kaspersky have discovered a new strain of malware known as SparkKitty, which has been operational since at least February 2024. SparkKitty belongs to the SparkCat lineage, a collection of Trojan horse applications designed to pilfer cryptocurrency. The initial SparkCat malware was first recognized by Kaspersky in January 2025, having already breached both the Google Play Store and Apple’s App Store.

These harmful applications frequently disguise themselves as genuine software, presenting substantial dangers in the cryptocurrency sector. An example is the Android application, SOEX, which claimed to be a messaging service with cryptocurrency trading capabilities and amassed over 10,000 downloads on Google Play prior to being detected. Kaspersky also discovered a comparable application on the iOS app store, in addition to modified versions of the TikTok app masquerading as authentic.

SparkKitty is engineered to access users’ photo libraries, since numerous cryptocurrency users store screenshots of their recovery phrases necessary for wallet restoration. By retrieving these images, attackers can potentially obtain full access to the victims’ cryptocurrency accounts. In contrast to the more focused SparkCat, SparkKitty indiscriminately gathers a broad spectrum of images and transmits them to the attackers, irrespective of the content, as outlined in a Secure List report from Kaspersky.

The primary worry is the theft of recovery phrases for crypto wallets, but the wider access to photo libraries introduces further hazards, such as the risk of extortion with sensitive images. However, there is no proof that stolen images have been employed for blackmail. The malware initiative has predominantly focused on users in Southeast Asia and China, with most infected applications disguised as Chinese gambling games, TikTok replicas, and adult entertainment applications, customized for those areas.