A dangerous new strain of mobile spyware is making headlines in the crypto world. Security researchers at Kaspersky have uncovered a malware campaign dubbed SparkKitty that is specifically designed to steal screenshots of wallet seed phrases from mobile devices. Shockingly, some infected apps managed to slip through the defenses of both Google Play and Apple’s App Store, putting thousands of users at risk.
y7Screenshot Theft: A New Threat Vector
Unlike typical malware that targets login credentials or browser data, SparkKitty takes a more indirect yet devastating approach. It infiltrates users’ photo galleries, scanning stored images for text using Optical Character Recognition (OCR). Its primary target: screenshots containing crypto wallet seed phrases the master keys to digital assets.
Once the malware is installed, it remains dormant until users trigger specific interfaces (such as fake support chats). At that point, it requests access to the photo gallery. If granted, it silently begins scanning images and exfiltrating any that appear to contain sensitive information.
How SparkKitty Spreads
Kaspersky’s report reveals that SparkKitty is being distributed via seemingly legitimate mobile apps, often disguised as:
- TikTok mods
- Crypto tracking tools
- Gambling games
- Adult content apps
These apps trick users into installing a developer profile, especially on iOS devices, which allows the malware to operate outside of the usual sandbox restrictions and security reviews.
Confirmed Infected Apps
Two of the most concerning examples flagged by researchers include:
- Soex Wallet Tracker – Masqueraded as a crypto portfolio manager. It was downloaded more than 5,000 times from Google Play before being removed.
- Coin Wallet Pro – Pitched itself as a secure, multi-chain wallet app. It briefly appeared on Apple’s App Store and gained traction via Telegram and social media ads.
Both apps carried strong crypto branding, including “crypto-only” store interfaces, signaling a clear intent to harvest seed phrases.
Regional Focus & Global Risk
While the malware is primarily targeting users in Southeast Asia and China, there are growing concerns that the infection vector could expand globally, especially through side-loaded apps and promotional channels like Telegram groups and crypto forums.
SparkKitty is believed to be an evolution of SparkCat, a spyware campaign that emerged in early 2024 with similar functionality and targeting mechanisms.
Stay Safe: Key Recommendations
Kaspersky’s security experts recommend the following to mitigate the risk:
- Never store screenshots of seed phrases write them down and keep them offline.
- Avoid apps that ask for gallery access unnecessarily.
- Be skeptical of apps that require installing developer profiles or special permissions.
- Only use wallets from trusted developers with a strong track record and preferably open-source code.
- Regularly review which apps have photo access and revoke permissions for those that don’t need it.
Response and Next Steps
Kaspersky has already notified Google and Apple, and the known malicious apps have been removed. However, the campaign is believed to have been active since at least April 2024, with some malware samples potentially dating back even earlier.
The report underscores a chilling truth for crypto users: even the most cautious can fall victim if they underestimate the power of a screenshot.
