Kaspersky researchers have uncovered a malware campaign targeting crypto users through infected apps distributed via official app stores.
Cybersecurity experts Sergey Puzan and Dmitry Kalinin from Kaspersky identified a threat named SparkKitty — malware specifically designed to steal Bitcoin and other cryptocurrency seed phrases from users’ mobile devices.
The SparkKitty malware uses optical character recognition (OCR) technology to locate and extract seed phrases directly from screenshots saved on victims’ devices.
What makes this threat particularly dangerous is its ability to infiltrate seemingly secure channels, including official platforms like the Google Play Store and Apple App Store.
Kaspersky researchers identified the SparkKitty campaign as the successor to a previous malware known as SparkCat. This new variant has expanded its capabilities, no longer limiting itself to stealing seed phrases but also targeting any type of sensitive information found within a device’s photo gallery.
Two apps used to deliver the malware were crypto-focused. The first, called 币coin, promoted itself as a cryptocurrency information tracker and was listed on the App Store. The second was SOEX, a messaging app with “crypto exchange features”, which appeared on Google Play. SOEX reached over 10,000 installs on Google’s platform before being removed following Kaspersky’s report.
Kaspersky analysts first spotted the SparkKitty campaign while monitoring suspicious links promoting modified versions of the TikTok app for Android. These altered apps executed additional malware code when users launched the app’s core activities. Infected versions of the TikTok iOS app requested access to the photo gallery upon launch — a feature absent from the official TikTok app.
According to Kaspersky’s findings, the primary targets of this malware campaign are users in Southeast Asia and China, as the infected apps include various Chinese gambling games, TikTok clones, and adult games.
