Cybersecurity experts have issued a warning over SparkKitty — a stealthy new malware that targets mobile crypto wallets. This sophisticated Trojan is designed to exploit smartphone users by stealing critical information, including seed phrases. Disguised as TikTok mods and crypto-related utilities, SparkKitty silently extracts sensitive data once installed.
Trojan Hides in TikTok Mods and Crypto Apps
SparkKitty is distributed through modified versions of popular mobile apps. In particular, it has been spotted embedded within TikTok mods and crypto portfolio management tools. These fake apps offer features like enhanced editing tools or free crypto signals to attract downloads. However, they use deceptive provisioning profiles to bypass official vetting systems. This allows them to operate on both Android and iOS devices without detection.
Once the app is launched, SparkKitty runs silently in the background. It avoids raising alarms by mimicking normal app behaviour while initiating data collection processes. Its primary mission is to gather sensitive images from the device’s gallery and forward them to attacker-controlled servers.
Photo Gallery Access Used to Locate Seed Phrases
One of SparkKitty’s key strategies is to request access to the photo gallery. Once granted, it continuously scans the device for new images. Security researchers have discovered that the malware stores each image in a local database. Later, these images are uploaded to a remote server for further analysis.
Researchers suspect the Trojan is designed to locate screenshots containing crypto wallet seed phrases. Many crypto wallet apps prompt users to screenshot or photograph their seed phrases for backup. SparkKitty exploits this behaviour to obtain the most critical security keys. With a complete seed phrase, hackers can easily take full control of a wallet. This gives them access to transfer, liquidate, or even erase funds without alerting the user.
Targeting Users in Southeast Asia and China First
Early investigations have shown that SparkKitty was initially deployed across Southeast Asia and China. Kaspersky reports that most infections occurred in these regions between March and May 2025. The malware’s architecture, however, is built for wide-scale expansion. It uses fast-spreading channels, such as social media and third-party app stores, to reach more victims.
Cyber experts warn that its reach could become global in a matter of weeks. Malicious actors have demonstrated the ability to update the malware and localise content quickly. The Asia-Pacific region is especially vulnerable due to high mobile app engagement. This makes it a prime target for malware campaigns aimed at financial theft.
SparkKitty May Link to Previous SparkCat Campaign
Some cybersecurity researchers believe SparkKitty is an evolved variant of SparkCat — a malware found earlier in 2025. SparkCat also accessed galleries and used Optical Character Recognition (OCR) to extract text from screenshots. The malware was linked to the theft of thousands of dollars in crypto through similar tactics.
However, SparkKitty improves on SparkCat’s method by uploading all gallery images for later processing. Instead of analysing images on-device, it transfers bulk data to external servers. This reduces its digital footprint on the phone, making detection harder. It also increases the risk for users, as all images — not just those with seed phrases — are compromised.
Malware on App Stores Disguised as Useful Tools
What makes SparkKitty particularly dangerous is its presence on official app platforms. Security firms have found instances of infected apps on both the Apple App Store and Google Play. This suggests the malware has exploited developer loopholes or weak vetting controls. Malicious actors use popular brand names, trending features, and manipulated reviews to lure downloads.
Many of these apps claim to be helpful crypto portfolio trackers or advanced TikTok video editors. Some are even advertised through social media platforms with convincing promotional material. This aligns with broader malware trends, where threat actors mask Trojans as productivity tools or entertainment apps.
Other Malware Campaigns Highlight Ongoing Risks
SparkKitty joins a growing list of malware campaigns designed to target crypto users. Noodlophile, another Trojan, hides in AI-based tools and steals personal and financial credentials. It spreads through fake AI services, luring users into downloading corrupted installers.
Meanwhile, LummaC2 has been responsible for over 1.7 million credential theft attempts. Its primary vector is phishing emails that trick users into logging into fake services. In 2025, a global law enforcement action disrupted part of LummaC2’s infrastructure. Despite this, cybersecurity firms say similar malware continues to emerge rapidly.
Protecting Devices From SparkKitty Crypto Malware
Users can take several precautions to reduce their exposure to threats like SparkKitty. Only install apps from verified developers on official app stores. Avoid downloading unofficial mods, particularly those offering premium features for free.
Always check an app’s permissions before installation. If a video editing app asks for access to your photo gallery or contacts, it could be suspicious. Revoke gallery access unless it is essential to the app’s functionality. Use mobile antivirus or anti-malware apps that monitor background activity. Enable automatic security updates to patch vulnerabilities as soon as fixes are released.
For cryptocurrency users, offline or cold storage remains the most secure method. Avoid storing wallet seed phrases as photos or notes on your mobile device. Use a hardware wallet or write the seed phrase on paper and store it securely. This removes the risk of malware accessing your digital keys through your device.
Also Read: Canaan Refocuses on Bitcoin Mining as It Tests U.S. Chip Production and Exits AI Hardware
Stay Alert as Mobile Malware Evolves
SparkKitty reflects the increasing sophistication of mobile-focused malware campaigns. Its combination of deceptive packaging, broad platform reach, and silent data theft is a growing concern. With mobile crypto use rising, attackers are tailoring their strategies to exploit everyday users.
Staying vigilant, updating your device, and securing your crypto information offline are critical steps. As threats like SparkKitty evolve, awareness and digital hygiene are your best defence.
