SparkKitty Malware Targets Crypto Wallets: A Hidden Danger in App Stores

Introduction

A sophisticated new malware, SparkKitty, has infiltrated the Apple App Store and Google Play, posing a significant risk to cryptocurrency investors. Discovered by Kaspersky on June 11, 2025, this spyware steals photos from infected devices to extract seed phrases, the critical keys to crypto wallets, potentially draining users’ digital assets. With apps like 币coin and SOEX, downloaded over 10,000 times, targeting users in Southeast Asia and China, the incident underscores the growing threat of mobile malware in the $3.35 trillion crypto market. Here’s how SparkKitty operates and how to stay safe.

How SparkKitty Steals Seed Phrases

SparkKitty malware, a successor to the January 2025 SparkCat campaign, infects iOS and Android devices through seemingly legitimate apps, including crypto trackers, TikTok mods, gambling games, and adult content apps. Once installed, it uses optical character recognition (OCR) to scan photo galleries for screenshots containing crypto wallet seed phrases—12- or 24-word recovery keys that grant full wallet access. Kaspersky analysts Sergey Puzan and Dmitry Kalinin noted that while seed phrases are the primary target, other sensitive data in images, like personal IDs, could also be compromised. The malware’s visual recognition is optimized for wallets like MetaMask, Trust Wallet, and Phantom, making it a potent threat.

Infiltration of Major App Stores

SparkKitty’s ability to bypass Apple and Google’s security measures highlights vulnerabilities in app store vetting. Apps like 币coin, marketed as a crypto information tracker on the App Store, and SOEX, a messaging app with crypto exchange features on Google Play, were key vectors. SOEX alone was installed over 10,000 times before Google removed it and banned its developer, as confirmed by a Google spokesperson. Kaspersky notified both platforms, leading to the apps’ removal, but the campaign, active since early 2025, may persist through sideloaded apps or third-party stores, posing a global risk.

Regional Focus and Broader Implications

The malware primarily targets users in Southeast Asia and China, with infected apps featuring Chinese gambling games and crypto-themed interfaces, per Kaspersky’s findings. However, its distribution via social media and app stores makes it scalable worldwide. A 2024 TRM Labs report estimated that 70% of $2.2 billion in stolen crypto resulted from private key and seed phrase thefts, with malware like SparkKitty enabling such attacks. X posts from users like @web3_antivirus and @Cryptotvplus reflect alarm, urging offline key storage to mitigate risks. The incident amplifies concerns about app store security and the need for user vigilance in a booming crypto market.

Protecting Your Crypto Assets

To avoid falling victim to SparkKitty, never store seed phrases digitally, especially as screenshots. Kaspersky and SlowMist recommend writing seed phrases on paper and storing them offline in a secure location, like a safe. Verify app authenticity before downloading, checking developer credentials and reviews on platforms like CoinGecko or CertiK. Avoid sideloading apps or clicking suspicious links, as warned in a Cointelegraph guide on crypto scams. Using hardware wallets, such as Trezor’s Safe 5, adds an extra layer of protection. Regularly scan devices with trusted antivirus software and enable two-factor authentication (2FA) to safeguard wallets.

Conclusion: Staying Ahead of Crypto Malware Threats

SparkKitty’s infiltration of major app stores serves as a stark reminder of the evolving dangers targeting crypto investors. By exploiting human error—such as storing seed phrases as screenshots—this malware underscores the need for robust security practices in the $3.35 trillion crypto ecosystem. While Apple and Google have removed the offending apps, the threat persists through alternative channels, demanding heightened vigilance. By adopting offline storage, verifying apps, and leveraging secure tools, investors can protect their digital wealth, ensuring safety in an era of relentless cyber threats.