Cybersecurity researchers at Kaspersky have uncovered a new and dangerous malware strain, which they believe has been active since at least Feb. 2024.
Dubbed SparkKitty, the malware is part of the broader SparkCat family — a line of Trojan horse programs designed to steal cryptocurrency from unsuspecting users. Kaspersky first discovered the original SparkCat malware in Jan. 2025, noting that it had already made its way onto both the Google Play Store and Apple’s App Store.
Scammers tricked TikTok users into downloading malware with AI videos
Like many trojans, these malicious apps disguise themselves as legitimate software. In the crypto world, this can be especially risky. The researchers say that one such Android app, SOEX, posed as a messaging platform with cryptocurrency trading features. They say it racked up more than 10,000 downloads on Google Play before being flagged. Kaspersky researchers found a similar app on the iOS app store, as well as modified versions of the TikTok app posing as the real thing.
Mashable Light Speed
SparkKitty is specifically engineered to access users’ photo libraries. The reasoning being that many crypto users screenshot their recovery phrases — which are needed to restore access to their wallets — and store them in their camera rolls. By extracting these images, attackers can potentially gain full access to victims’ crypto accounts.
Malware like SparkKitty is built to scan for images that could be valuable to attackers. However, unlike its more targeted predecessor, SparkCat, SparkKitty isn’t especially selective — it scoops up a broad range of images and sends them back to the attackers, regardless of content, according to a detailed report on Secure List by Kapersky.
While the primary concern remains the theft of crypto wallet recovery phrases, broader access to users’ photo libraries opens the door to other risks, including potential extortion using sensitive or private images. That said, there appears to be no evidence that the stolen images have been used for blackmail or similar schemes.
Kaspersky reports that the malware campaign has primarily targeted users in Southeast Asia and China. Most of the infected apps were disguised as Chinese gambling games, TikTok clones, and adult entertainment apps, all tailored to users in those regions.
