A dangerous new mobile spyware campaign targeting cryptocurrency users has infiltrated both Apple’s App Store and Google Play Store, specifically designed to steal seed phrases and wallet credentials stored as photos on smartphones. The malware, dubbed SparkKitty, represents a significant escalation in mobile cryptocurrency threats and has already compromised thousands of users worldwide.
Advanced Malware Campaign Targets Crypto Assets
SparkKitty, a successor to the earlier SparkCat campaign first uncovered in early 2025, uses modified frameworks and libraries to exfiltrate sensitive data from iOS and Android devices. Unlike traditional malware that spreads through unofficial channels, this sophisticated threat has been confirmed inside multiple legitimate apps available through official app stores.
The malware campaign demonstrates alarming technical sophistication. A messaging app with crypto exchange features accumulated over 10,000 installs on Google Play, while an iOS app called «币coin» was disguised as a portfolio tracker. This approach allowed the malware to bypass standard security screening processes that typically protect official app stores.
Kaspersky researchers discovered that the malware specifically targets images containing seed phrases and private keys using advanced optical character recognition (OCR) technology. Once detected, these critical cryptocurrency credentials are immediately flagged and transmitted to attacker-controlled servers, potentially resulting in complete wallet compromise.
Technical Analysis Reveals Sophisticated Attack Methods
iOS Exploitation Techniques
At the core of the iOS variant is a weaponized version of the AFNetworking or Alamofire framework, where attackers embedded a custom class that auto-runs on app launch using Objective-C’s +load selector. This technical approach allows the malware to execute immediately when the infected app starts, bypassing user detection.
The iOS installation process exploits enterprise provisioning profiles, a legitimate method intended for internal corporate applications. Victims are tricked into manually trusting a developer certificate linked to «SINOPEC SABIC Tianjin Petrochemical Co. Ltd.,» giving SparkKitty system-level permissions. This social engineering technique grants the malware extensive access to device functions and user data.
Android Variant Capabilities
The Android version utilizes modified Java libraries to achieve similar objectives. OCR is applied via Google ML Kit to parse images. If a seed phrase or private key is detected, the file is flagged and sent to the attacker’s servers. This automated approach allows the malware to process large volumes of images quickly and efficiently identify valuable cryptocurrency credentials.
Both variants employ sophisticated command-and-control infrastructure. Several C2 addresses used AES-256 encrypted configuration files hosted on obfuscated servers. Once decrypted, they point to payload fetchers and endpoints, such as /api/putImages and /api/getImageStatus. This encryption layer makes detection and analysis significantly more challenging for security researchers.
Global Impact and Distribution Scope
While initial analysis suggests the malware primarily targets users in China and Southeast Asia, security experts warn that nothing technically limits its regional scope. The global nature of app stores means cryptocurrency users worldwide remain vulnerable to similar attacks.
Apple and Google have taken down the apps in question following disclosure, but the campaign has likely been active since early 2024 and may still be ongoing through side loaded variants and clone stores. This timeline indicates that thousands of users may have already been compromised, with many potentially unaware of the breach.
The removal of these apps from official stores doesn’t eliminate the threat entirely. Cybercriminals often maintain alternative distribution channels, including third-party app stores and direct installation methods that bypass official security measures.
Cryptocurrency Security Best Practices for Mobile Users
Secure Seed Phrase Storage Guidelines
Security experts unanimously recommend against storing seed phrases digitally in any form. Avoid storing it in a digital format or taking a picture of it with your mobile phone. Physical copies of your recovery phrase are immune to hacking and digital threats. This fundamental security principle becomes even more critical given the sophisticated nature of modern mobile malware.
Consider creating multiple copies of your seed phrase and storing them in separate, secure locations. This redundancy approach protects against both physical loss and targeted attacks while maintaining recovery capabilities.
Enhanced Mobile Security Measures
Cryptocurrency users should implement comprehensive security practices beyond seed phrase protection. Use Signal or ProtonMail (end-to-end encrypted) to share sensitive information when communication about cryptocurrency matters becomes necessary.
Device-level security measures prove equally important. Seed phrases should be kept on USB drives in encrypted containers rather than stored on internet-connected devices that remain vulnerable to malware attacks.
Hardware Wallet Advantages in Mobile Security Context
The SparkKitty campaign highlights fundamental vulnerabilities in mobile cryptocurrency management. Hardware wallets such as Ledger provide protection for seed phrases through encryption methods to enhance security measures when storing your phrase digitally. These devices maintain air-gapped security that prevents remote access to private keys.
The key lies in layered security – combining offline storage, strong backup procedures, physical protection, and ongoing vigilance against evolving attack methods. This comprehensive approach addresses multiple attack vectors simultaneously.
Industry Response and Future Implications
The cryptocurrency industry continues grappling with sophisticated mobile threats. Over $1.5 billion of crypto was lost to scams or theft in just three months of 2025, highlighting the scale of current security challenges facing the sector.
A large-scale phishing campaign dubbed ‘PoisonSeed’ compromises corporate email marketing accounts to distribute emails containing crypto seed phrases used to drain cryptocurrency wallets. This parallel campaign demonstrates that cryptocurrency security threats continue evolving across multiple platforms and attack vectors.
Recommendations for Immediate Action
Cryptocurrency users should immediately audit their mobile security practices. Remove any digital copies of seed phrases from smartphones, implement hardware wallet solutions for significant holdings, and regularly update mobile operating systems to receive latest security patches.
The SparkKitty campaign serves as a critical reminder that convenience often conflicts with security in cryptocurrency management. As mobile adoption continues growing, users must prioritize proper security practices over ease of access to protect their digital assets from increasingly sophisticated threats.
Remember that cryptocurrency security responsibility rests entirely with you. No government insurance protects crypto holdings, making personal security practices the primary defense against evolving malware campaigns targeting the cryptocurrency ecosystem.