How the ‘SparkKitty’ Trojan Is Stealing Crypto Wallet Data From Phones

A newly discovered Trojan dubbed “SparkKitty” is infecting smartphones and siphoning off sensitive data, potentially enabling attackers to drain victims’ cryptocurrency wallets, cybersecurity firm Kaspersky said in a report on Tuesday.

The malware is embedded in apps related to crypto trading, gambling, and even modified versions of TikTok.

Once installed via deceptive provisioning profiles—used for running iOS apps or modified apps—SparkKitty requests access to the photo gallery. It monitors for changes, creates a local database of stolen images, and uploads photos to a remote server.

“We suspect the attackers’ main goal is to find screenshots of crypto wallet seed phrases,” Kaspersky said.

Currently, the malware primarily targets victims in China and Southeast Asia. However, the firm warned that there was nothing to stop it from spreading to other regions.

In its 2024 report, TRM Labs estimated that nearly 70% of the $2.2 billion in stolen crypto last year resulted from infrastructure attacks, particularly those involving the theft of private keys and seed phrases. 

Infected devices

Malware like SparkKitty enables such thefts as attackers can use data from infected devices to search for wallet credentials. Seed phrases are highly valuable because they allow full access to a user’s crypto wallet.

SparkKitty is believed to be linked to the SparkCat spyware campaign first uncovered in January 2025, which similarly used malicious SDKs to gain access to photos on user devices. 

While SparkCat focused its spyware on images with seed phrases using Optical Character Recognition (OCR technology, SparkKitty indiscriminately uploads photos, presumably to be processed later.

Its presence has been confirmed in both Android and iOS apps on their respective app stores, including disguised as crypto-themed tools and TikTok mods. 

SparkKitty joins a host of other crypto-targeting malware and trojans that have gained popularity among hackers over the last few years.

Among them, the information stealer Noodlophile has been found embedded in AI tools available for download online, taking advantage of current interest around the technology.

Hackers build convincing-looking AI sites and then advertise them via social media to attract unsuspecting victims. 

An international law enforcement effort in May targeted key infrastructure related to the distribution of another strain of malware, LummaC2, which has been linked to over 1.7 million theft attempts. 

LummaC2 aimed to steal information related to login credentials, including for crypto wallets. 

Edited by Sebastian Sinclair