How the ‘SparkKitty’ Trojan Is Stealing Crypto Wallet Data From Phones
A new cyber threat dubbed “SparkKitty” has been uncovered targeting smartphones to steal sensitive cryptocurrency wallet information. Cybersecurity firm Kaspersky revealed in a report on June 25, 2025, that this Trojan malware is stealthily embedded in seemingly innocuous apps, including crypto trading tools, gambling applications, and modified versions of TikTok. Its primary targets are users in China and Southeast Asia, though experts warn that it could soon spread globally.
The Modus Operandi of SparkKitty
SparkKitty deceives victims by masquerading as legitimate apps hosted on official platforms like the Apple App Store and Google Play, as well as through third-party websites. The malware gains initial access via deceptive provisioning profiles—mechanisms typically used for running iOS or modified apps. Once installed, SparkKitty requests permission to access the infected device’s photo gallery.
After receiving access, the Trojan continuously monitors for changes within the gallery. It compiles a local database of images before uploading them to a remote server controlled by the attackers. Kaspersky researchers suspect the primary goal of this image theft is to capture screenshots of cryptocurrency wallet seed phrases, which are the critical keys needed to access and control victims’ crypto assets.
The Danger of Seed Phrase Theft
Seed phrases are essentially the master keys that grant full control over a cryptocurrency wallet. Stealing them allows hackers to withdraw cryptocurrencies without authorization, often resulting in irreversible losses. According to a 2024 report by TRM Labs, nearly 70% of the $2.2 billion stolen in crypto thefts last year stemmed from attacks targeting wallet credentials like private keys and seed phrases.
Malware like SparkKitty thus poses a significant threat to crypto users by facilitating such high-stakes thefts through covert collection of confidential images from victims’ phones.
Connection to Previous Campaigns
SparkKitty appears linked to Kaspersky’s earlier discovery of the SparkCat spyware campaign, identified in January 2025. Both campaigns employ malicious software development kits (SDKs) embedded in apps to gain access to photos on user devices. However, whereas SparkCat focused specifically on extracting images with seed phrases using Optical Character Recognition (OCR) technology, SparkKitty indiscriminately uploads all photos, likely for offline analysis and data extraction.
This evolution indicates attackers refining their methods to cast wider nets in harvesting valuable wallet information.
Widespread Threat Across Platforms
Researchers have confirmed the presence of SparkKitty in both Android and iOS applications. Its ability to infiltrate official app stores underscores the increasing challenge of policing malware disguised as legitimate applications, especially in crypto-related spaces.
SparkKitty joins a growing list of sophisticated malware strains targeting cryptocurrency holders. For example, the Noodlophile information stealer has been discovered embedded in AI tools, exploiting the hype around artificial intelligence to lure users. Similarly, international law enforcement agencies recently targeted infrastructure linked to LummaC2 malware, responsible for over 1.7 million theft attempts aimed at stealing login credentials, including crypto wallet access details.
Protecting Yourself Against Wallet Theft
As crypto wallets become more integrated into everyday mobile apps, the risk of Trojan malware like SparkKitty escalating their attacks has intensified. Users should exercise caution when downloading apps, especially from unofficial sources or when granting extensive permissions such as photo access.
Regularly updating devices, using official app stores cautiously, and employing hardware wallets or multi-factor authentication can help mitigate the risk. Staying informed about emerging malware campaigns is also vital for crypto users looking to safeguard their digital assets.
Cryptocurrency Market Snapshot (June 25, 2025):
- Bitcoin (BTC): $106,917.00 (+1.51%)
- Ethereum (ETH): $2,444.74 (+1.31%)
- Binance Coin (BNB): $645.02 (+0.70%)
- Solana (SOL): $146.42 (+1.15%)
- Dogecoin (DOGE): $0.166133 (+1.39%)
- Cardano (ADA): $0.58164 (-0.05%)
Note: Despite the ongoing security threats, several major cryptocurrencies show positive price movements, highlighting sustained interest in the market.
Stay vigilant and keep your crypto assets secure. For more information and updates on emerging cyber threats in the blockchain ecosystem, follow trusted cybersecurity sources and keep your devices protected.