SparkKitty, a new cross-platform Trojan that steals cryptodata via infected apps: a threat to users in Southeast Asia, China and around the world

BY KEYHUNTER 06.07.2025

SparkKitty, a new cross-platform Trojan that steals cryptodata via infected apps: a threat to users in Southeast Asia, China and around the world

Kaspersky Lab specialists have identified a new cross-platform spyware Trojan called SparkKitty , which has been active on devices with iOS and Android operating systems since at least the beginning of 2024 8 . This malware, according to analysts Sergey Puzan and Dmitry Kalinin, is related to the previously discovered SparkCat Trojan, which has similar goals and methods of operation 8 .

Mechanism of infection and spread

SparkKitty infiltrates smartphones through official app stores — the App Store and Google Play, as well as through third-party and fake platforms, including modified versions of popular apps, such as TikTok 8 . In the App Store, the Trojan disguised itself as a crypto-information tracker called币coin , and in Google Play — as a messenger with cryptocurrency exchange functions SOEX 7 . The SOEX app was downloaded more than 10,000 times before being removed by a signal from Kaspersky, and Google Play Protect provides protection for users from further infections 7 .

Malware goals and functionality

SparkKitty’s main task is to steal images from the infected device’s photo gallery. The Trojan pays special attention to screenshots with cryptocurrency wallet seed phrases, which allow attackers to gain full access to the victim’s digital assets 8 . In addition to crypto data, stolen images may also contain other confidential information, which increases the scale of potential damage 7 .

To bypass protection, SparkKitty requests access to the gallery from the user under the pretext of normal app functionality, which misleads the victim 3 . The malware is presented in the form of frameworks and libraries disguised as legitimate components, and the Android version exists in Java and Kotlin, including a malicious Xposed module 8 .

SparkKitty, a new cross-platform Trojan that steals cryptodata via infected apps: a threat to users in Southeast Asia, China and around the world

Contact SparkCat

SparkKitty and SparkCat have similar file paths and code structure, indicating a common origin 8 . While SparkCat used OCR technologies to selectively search for images with seed phrases, SparkKitty in most cases steals all images indiscriminately, making the campaign less selective, but no less dangerous 8 .

Geography and distribution

The main victims are users from Southeast Asia and China . This is confirmed by the fact that most of the infected apps have a Chinese interface and are distributed through platforms with content related to gambling, crypto exchanges and phishing versions of TikTok 7 . At the same time, there are no technical restrictions for SparkKitty to operate outside these regions, which creates a threat to users around the world, including Russia 7 .

Response and protective measures

After the malware was discovered, Google promptly removed the SOEX app from Google Play, and Apple removed the 币coin app from the App Store 8 . Users are advised to download apps only from official sources, use proven antivirus solutions, such as Kaspersky Premium, and not disable protection when installing programs 6 .

Conclusion

While the SparkKitty campaign is not technically sophisticated, it poses a real and ongoing threat to mobile users, especially those working with cryptocurrencies, since early 2024 8 . The malware demonstrates that attackers are successfully penetrating even official app stores using social engineering and disguise as popular crypto-oriented services. This highlights the need for increased vigilance and the use of comprehensive security measures in the digital space.

What new details are surrounding the origins of SparkKitty and its relationship to SparkCat?

New details uncovered by the researchers confirm that SparkKitty is a direct “little brother” of the SparkCat malware , which is reflected in the significant similarity of the code and infrastructure of both programs. The researchers note that SparkKitty and SparkCat have identical file paths and a similar code structure , which indicates their common origin and, likely, the work of the same group of attackers 5 .

In addition, both versions of the malware are focused on stealing images from mobile photo galleries in order to find screenshots of crypto wallet seed phrases, which highlights their common goal of gaining access to users’ crypto assets. However, SparkKitty differs in that it steals all images without selectivity, while SparkCat used optical character recognition (OCR) technologies to selectively search for the desired data 4 .

Thus, SparkKitty can be considered as an evolution or modification of SparkCat, which retained the main functional features, but simplified the methods of operation, which allows the campaign to continue from the beginning of 2024 and pose a real threat to mobile device users 4 .

How Exactly Malware Steals Seed Phrases and What It Means for Cryptocurrency Users

SparkKitty malware steals crypto wallet seeds by bulk collecting screenshots from the infected device’s photo gallery . Once inside the system, the Trojan gains access to the images and sends them to the attackers’ command and control server. Then, using optical character recognition (OCR) technology implemented through the Google ML Kit library, the malware analyzes these images to find keywords and phrases that are typical for seed phrases — unique mnemonic sequences needed to restore access to crypto wallets 2 .

A seed phrase is the master key to a cryptocurrency wallet, consisting of 12, 18 or 24 words, which allows you to fully regain control of your funds. If attackers obtain this phrase, they can freely access the wallet and transfer all cryptocurrency assets to their addresses. For users, this means a complete loss of control over their digital assets and the inability to return stolen funds, since transactions in the blockchain are irreversible 6 .

Thus, SparkKitty poses a serious threat to crypto investors, as it steals the very information that is the “master key” to their finances. It is recommended to store seed phrases exclusively offline, avoid photographing or storing them digitally on devices with internet access, and use reliable antivirus solutions to protect against such threats 5 .

Why Attackers Are Choosing Crypto Apps as a Primary Target for SparkKitty Distribution

Attackers are choosing crypto apps as a primary target for distributing SparkKitty for several key reasons:

  • High value of stolen information. Crypto apps contain seed phrases and other data that give complete control over users’ digital assets. Stealing such data provides attackers with the ability to quickly and irrevocably steal cryptocurrency, making these apps a particularly attractive target.
  • High demand and active audience. Cryptocurrency services and applications have a large user base, especially in regions with an active crypto community, such as Southeast Asia and China. This increases the potential number of victims and profits for attackers.
  • Social engineering and camouflage. Crypto apps often provide financial and exchange-related features, which allows malware to disguise itself as legitimate services (e.g., crypto information trackers or messengers with cryptocurrency exchange features). This increases the chances of malware being installed by users.
  • No effective technical barriers. SparkKitty has no technical limitations that prevent it from working outside of specific regions, allowing attackers to scale attacks on crypto applications worldwide.

Thus, crypto-apps are an attractive distribution channel for attackers to spread SparkKitty, as they provide access to high-value information and allow for effective masking of malicious activity, making such attacks profitable and relatively easy to implement 3 .

What measures does Google take to protect users from such threats in Google Play?

Google takes comprehensive measures to protect users from malicious apps on Google Play, including the following key mechanisms:

  • Multi-level app verification. All apps added to Google Play undergo mandatory automated and manual verification for malicious code and security policy violations. This reduces the likelihood of dangerous programs getting into the store 2 .
  • Google Play Protect. This is a built-in security system in Android that constantly scans installed and downloaded apps in real time. Play Protect detects malware, phishing, ransomware and other threats, warns the user, blocks or removes dangerous apps 7 .
  • Automatic removal and blocking. When a potentially dangerous app is detected, Google automatically removes it from the store and blocks it from being installed on users’ devices. The system can also revoke permissions from an app if it exhibits suspicious activity 5 .
  • Data Security section. Google Play now has a special section where developers are required to disclose what data an app collects and transmits. This helps users make informed decisions when installing apps 2 .
  • Reset permissions for inactive apps: If an app is not used for a long time (for example, three months), Google automatically resets its permissions to protect your privacy 2 .
  • Vulnerability Bounty Program: Google incentivizes security researchers to find and report application and system vulnerabilities, which helps to fix threats in a timely manner 1 .
  • Android 15 integration: In the latest versions of the OS, Google has strengthened its protection by introducing real-time threat detection using artificial intelligence, which analyzes the behavior of applications directly on the device and sends suspicious data to the cloud for verification 8 .

Thus, Google has created a multi-level protection system that not only prevents malware from entering Google Play, but also provides constant monitoring of the security of already installed applications, minimizing risks for users.

What is the main danger for residents of Southeast Asia and China when using infected applications?

The main dangers for people in Southeast Asia and China when using infected apps like SparkKitty are as follows:

  • Stealing confidential information and financial assets. Malware collects screenshots with crypto wallet seed phrases, allowing attackers to gain full control over victims’ digital assets and steal their cryptocurrency. In addition, the stolen data may contain other personal information, increasing the risk of compromise.
  • Widespread distribution via local platforms and applications. Infected applications have a Chinese interface and are distributed via popular services in the region – gambling, crypto exchanges, messengers and phishing versions of TikTok, which increases the likelihood of infection of gullible users.
  • High activity of cybercriminal groups. Southeast Asia and China are among the most attacked regions, where numerous APT groups operate using sophisticated methods of infiltration and malware disguise, including phishing, exploitation of vulnerabilities, and infiltration through popular services.
  • Lack of user awareness and protection: Many users in the region may not have sufficient knowledge of cyber threats and do not use comprehensive protection tools, which makes it easier for attackers to distribute and successfully deploy malware.
  • Lack of technical restrictions on malware. Although its main activity is concentrated in Southeast Asia and China, SparkKitty has no restrictions on operating in other regions, which creates a threat of further spread and an increase in the number of victims.

Thus, for residents of these regions, the use of infected applications poses a serious risk of loss of financial resources, leakage of personal data and further cyberattacks, which requires strengthening information security measures and increasing the digital literacy of the population 2 .

  1. https://news.drweb.ru/show/?i=2717
  2. https://ptsecurity.com/ru-ru/research/analytics/kak-dejstvuyut-apt-gruppirovki-v-yugo-vostochnoj-azii/
  3. https://mgimo.ru/about/news/experts/nevoennye-ugrozy-bezopasnosti-v-yuva/
  4. https://cyberleninka.ru/article/n/kitay-i-strany-yugo-vostochnoy-azii-v-period-pervyh-voln-pandemii-covid-19
  5. https://www.vostokoriens.ru/articles/3441/217478
  6. http://lib.itsec.ru/newstext.php?news_id=87024
  7. https://rg.ru/2020/04/06/virusolog-obiasnil-pochemu-novyj-virus-okazalsia-shokom-dlia-chelovechestva.html
  8. https://old.fsvps.gov.ru/fsvps-docs/ru/iac/publications/iac_public4.pdf
  9. https://cyberleninka.ru/article/n/netraditsionnye-aspekty-bezopasnosti-v-yugo-vostochnoy-azii-harakternye-cherty-i-tendentsii-evolyutsii
  10. https://meduza.io/feature/2020/01/25/otkuda-berutsya-novye-virusy-budet-li-novaya-ispanka-pochemu-my-vse-esche-ne-zarazilis-stydnye-voprosy-o-globalnyh-epidemiyah
  1. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%D0%91%D0%B5%D0%B7%D0%BE%D0%BF%D0%B0%D1%81%D0%BD%D0%BE%D1%81%D1%82%D1%8C_%D0%BF%D1%80%D0%B8%D0%BB%D0%BE%D0%B6%D0%B5%D0%BD%D0%B8%D0%B9_%D0%B2_Google_Play_Store
  2. https://ya.ru/neurum/c/drugoe/q/kakie_mery_bezopasnosti_predusmotreny_v_google_ccc1baf6
  3. https://androidinsider.ru/obzory-prilozhenij/chto-takoe-zashhita-google-play-protect-i-dlya-chego-ona-nuzhna.html
  4. https://4pda.to/2025/03/26/440218/v_google_play_poyavyatsya_novye_funktsii_bezopasnosti/
  5. https://cq.ru/articles/tech/google-play-zashchita-chto-eto-takoe-i-kak-otkliuchit
  6. https://www.kaspersky.ru/blog/android-15-new-security-and-privacy-features/37541/
  7. https://ru.androidguias.com/Google-Play-Protect,-%D1%87%D1%82%D0%BE-%D1%8D%D1%82%D0%BE-%D1%82%D0%B0%D0%BA%D0%BE%D0%B5-%D0%B8-%D0%BA%D0%B0%D0%BA-%D1%80%D0%B0%D0%B1%D0%BE%D1%82%D0%B0%D 0%B5%D1%82-%D1%81%D0%BA%D0%B0%D0%BD%D0%B8%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%B8%D0%B5-%D0%B2- %D1%80%D0%B5%D0%B0%D0%BB%D1%8C%D0%BD%D0%BE%D0%BC-%D0%B2%D1%80%D0%B5%D0%BC%D0%B5%D0%BD%D0%B8/
  8. https://www.anti-malware.ru/news/2024-05-16-121172/43363
  9. https://policies.google.com/privacy/embedded
  1. https://www.kaspersky.ru/about/press-releases/haktivisty-bo-team-ispolzuyut-celevoj-fishing-dlya-atak-na-rossijskij-biznes-i-gossektor
  2. https://securelist.ru/copy-paste-heist-clipboard-injector-targeting-cryptowallets/107180/
  3. https://www.kaspersky.ru/about/press-releases/eksperty-laboratorii-kasperskogo-otmechayut-rost-chisla-i-urovnya-slozhnosti-celevyh-atak-programm-vymogatelej
  1. https://xvestor.ru/articles/sparkkitty-trojan-seed-crypto
  2. https://www.tadviser.ru/index.php/%D0%A1%D1%82%D0%B0%D1%82%D1%8C%D1%8F:%D0%9C%D0%BE%D1%88%D0%B5%D0%BD%D0%BD%D0%B8%D1%87%D0%B5%D1%81%D1%82%D0%B2%D0%BE_%D1%81_%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D0%BE%D0%B2%D0%B0%D0%BB%D1%8E%D1%82%D0%BE%D0%B9
  3. https://www.kaspersky.ru/blog/cryptowallet-free-seed-phrase-scam/38833/
  4. https://www.ledger.com/ru/academy/%D0%9A%D0%B0%D0%BA-%D0%BA%D1%80%D0%B0%D0%B4%D1%83%D1%82-%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D0%BE%D0%B2%D0%B0%D0%BB%D1%8E%D1%82%D1%8B-%D0%B8-%D0%BA%D0%B0%D0%BA-%D1%8D%D1%82%D0%BE%D0%B3%D0%BE-%D0%B8%D0%B7%D0%B1%D0%B5%D0%B6%D0%B0%D1%82%D1%8C
  5. https://www.ixbt.com/live/crypto/chto-takoe-seed-fraza-v-hranenii-kriptovalyuty-i-kak-ee-obezopasit.html
  6. https://www.rbc.ru/crypto/news/675735349a794738ecd55c20
  7. https://securelist.ru/hot-and-cold-cryptowallet-phishing/107672/
  8. https://xakep.ru/2025/07/04/firefox-drainers/
  9. https://tangem.com/ru/blog/post/crypto-wallet-drainers/
  10. https://nyccrimelawyer.com/ru/chto-byvaet-kogda-bitkojny-terjajut-ili-skadut/
  1. https://tgstat.ru/en/channel/@itsec_news
  2. https://datafinder.ru/files/downloads/01/Spark_v_deystvii.pdf
  3. https://www.xn--80aaabumq4ahcizcaod0o.xn--p1ai/map.htm
  4. https://tgstat.ru/channel/@cyber_cabb
  5. https://telemetr.io/es/channels/1435664162-cyber_cabb/posts
  1. https://www.kaspersky.ru/about/press-releases/laboratoriya-kasperskogo-obnaruzhila-sparkkitty-kross-platformennyj-troyanec-shpion-dlya-ios-i-android
  2. https://korea.polpred.com/news/?sector=15&kw=113&person_id=all&page=99
  3. https://hi-tech.mail.ru/news/129225-eksperty-nashli-troyan-vor-v-app-store-kak-sebya-zashitit/
  4. https://korea.polpred.com/news?ns=1§or=15&cat_a=1&page=6
  5. https://www.kaspersky.ru/blog/ios-android-stealer-sparkkitty/39936/
  6. https://www.kaspersky.ru/about/press-releases/zloumyshlenniki-rasprostranyayut-programmy-dlya-krazhi-dannyh-i-kriptovalyuty-rossiyan-pod-vidom-proektov-s-otkrytym-ishodnym-kodom
  7. https://www.block-chain24.com/news/novosti-bezopasnosti/vredonosnoe-po-sparkkitty-ishchet-v-telefone-skrinshoty-kriptofraz
  8. https://securelist.ru/sparkkitty-ios-android-malware/112895/
  9. https://cisoclub.ru/prilozhenija-v-app-store-i-google-play-rasprostranjali-sparkkitty-vredonosnoe-po-pohishhajushhee-foto-i-kriptovaljutu/
  10. https://store-kaspersky.ru/virusnews/securelist/