Kaspersky Uncovers 'SparkKitty' Malware Hijacking Crypto Seed Phrases via Screenshots

A New Breed of Spyware Targets Crypto Users

Security firm Kaspersky has issued a chilling warning: a malware campaign named “SparkKitty” is actively targeting cryptocurrency users through mobile apps on both iOS and Android, including some previously found on official app stores. What sets SparkKitty apart is its use of optical character recognition (OCR) to extract seed phrases and other sensitive data from screenshots stored on infected devices.

SparkKitty follows in the footsteps of a previous malware strain called SparkCat, but expands its reach dramatically. While SparkCat was more targeted, SparkKitty collects all available images from infected devices, turning every screenshot into a potential security breach.

How SparkKitty Infects iOS and Android Users

Kaspersky discovered the SparkKitty spyware campaign in January 2025, finding it distributed through both unofficial APK sites and—more alarmingly—the Google Play Store and Apple App Store. Though the infected apps have since been removed, they highlight a growing issue: malware bypassing official platform protections.

On iOS, SparkKitty uses obfuscated libraries disguised as legitimate ones—like AFNetworking.framework—and exploits Apple’s Developer Enterprise Program, hijacking enterprise certificates to sidestep App Store restrictions. These infected iOS apps request access to the photo gallery during launch—a red flag, as genuine TikTok apps don't ask for such permissions.

On Android, the malware is embedded in cryptocurrency-themed apps written in Java and Kotlin, often posing as messaging platforms or crypto exchanges. Once installed, these apps request configuration files from remote command servers, decrypt them using AES-256 ECB encryption, and begin exfiltrating data—including screenshots.

TikTok Clones and Casino Apps Spread the Infection

Kaspersky first stumbled onto SparkKitty while tracking suspicious links promoting TikTok “mod” apps. These apps—available through obscure stores—serve as Trojan horses, executing malware alongside normal functions. The infected apps displayed shopping portals like TikToki Mall, where purchases required crypto payments and invitation codes, raising further suspicions.

On the backend, the malware can perform device fingerprinting using IMEI numbers, MAC addresses, and UUIDs, allowing it to track devices even if users reinstall apps or wipe storage.

One infected messaging app, camouflaged with crypto exchange features, managed to garner over 10,000 downloads on Google Play before being taken down. Casino-style apps were also implicated, integrating into the Xposed module framework for deep system-level access.

OCR and Machine Learning Weaponized for Image Theft

What makes SparkKitty particularly dangerous is its OCR capability, enabling it to scan image files (JPEG and PNG) for readable text. Using Google’s ML Kit, the malware identifies and extracts sensitive data from seed phrase screenshots, wallet addresses, and private notes.

These functions are triggered through progressive web apps (PWAs), often promoted via Ponzi scheme ads on social media platforms. The infected PWAs prompt users to download APKs which then scan their photo galleries for crypto-sensitive screenshots.

Growing Threat to Mobile Crypto Security

The SparkKitty malware campaign is still under active investigation, and its widespread delivery via both mainstream and alternative platforms signals a dangerous evolution in crypto-related cybercrime. As crypto adoption surges globally, so too does the sophistication of malicious actors.

Users are advised to avoid sideloading apps, regularly review app permissions, and use hardware wallets instead of storing seed phrases in screenshots or local note apps.