A new trojan spy named SparkKitty has been discovered by Kaspersky, targeting both Android and iOS devices through malicious apps listed on Google Play and the App Store. Embedded in cryptocurrency, gambling, and even trojanized TikTok apps, this malware collects images and sensitive data from infected smartphones, posing serious risks to users across Southeast Asia, China, and potentially India.
Linked to the previously reported SparkCat malware, SparkKitty reuses the same method of scanning gallery screenshots to steal cryptocurrency wallet recovery phrases and passwords. This is now the second time in a year that a Trojan has been found targeting iOS users in this way, highlighting the growing sophistication of mobile malware.
Malicious Apps Disguised as Crypto Tools and TikTok
On iOS, the malware was disguised as a cryptocurrency-related app called 币coin and spread through phishing pages that mimicked Apple’s App Store. Attackers exploited a legitimate feature in iOS — developer tools used for corporate app distribution — to bypass App Store vetting and install the trojan.
The malware-infected version of TikTok, once installed, inserted links to suspicious crypto-only marketplaces within user profiles and accessed private photo libraries during login.
For Android users, SparkKitty was embedded in apps such as SOEX — a fake messenger and crypto exchange. This app was downloaded over 10,000 times from Google Play before removal. Additionally, APK versions of malicious crypto tools were distributed via third-party websites and promoted through social media channels, including YouTube.
The Real Threat: Data in Your Photo Gallery
Kaspersky’s researchers warn that the malware stealthily uploads all gallery images to attacker-controlled servers, searching for screenshots containing sensitive information like crypto wallet keys, banking details, and personal identifiers.
Malware expert Dmitry Kalinin emphasized that the infected apps continued to function normally while secretly stealing user data. He pointed out that the attackers’ focus on digital assets — through crypto-themed app disguises and crypto-only payment gateways — suggests a targeted strategy to compromise financial accounts.
Kaspersky Recommendations for Protection
Kaspersky has reported the malicious apps to both Google and Apple. In the meantime, the company has issued several protective measures for users:
Delete any apps suspected of being part of this campaign, especially if installed via unofficial sources.
Avoid storing sensitive data in your gallery, such as recovery phrases or passwords.
Use password managers and strong authentication for all crypto or financial apps.
Rely on mobile cybersecurity tools like Kaspersky Premium, which can block data exfiltration and warn users about suspicious behavior — especially on iOS where access is limited.
