The malware is actively affecting users across China and Southeast Asia, but experts warn its reach could expand globally.

SparkKitty Scans Photo Albums for Wallet Recovery Phrases

According to Kaspersky researchers, SparkKitty operates by infecting smartphones and covertly scanning all saved images on the device. It specifically looks for screenshots of crypto wallet recovery phrases—a common way users back up their 12- or 24-word seed phrases.

Once detected, the malware can extract and transmit these sensitive credentials, allowing attackers to hijack users’ wallets and drain their funds.

Malware Masquerading as Legitimate Apps

The SparkKitty virus spreads by posing as legitimate mobile applications, including:

“币 coin” – A cryptocurrency tracking app that was available on the Apple App Store.
“SOEX” – A messaging and trading app with over 100,000 downloads on Google Play, claiming to offer crypto trading features.

These apps acted as entry points for SparkKitty to infect devices without raising immediate suspicion. Kaspersky has since notified Google and Apple, and the apps have been removed from their respective stores.

Linked to SparkCat, Capable of Global Spread

Researchers believe SparkKitty is linked to SparkCat, a similar malware uncovered in January 2024, as both share code structures and behavioral patterns. SparkKitty has reportedly been in operation since at least early 2024, quietly targeting users in Asia.

Although the malware’s current focus is on China and Southeast Asia, Kaspersky warned that its technical capabilities pose a global threat, especially as seed phrase screenshots remain a common—and risky—backup method worldwide.

The firm urges crypto users to avoid storing sensitive recovery data in unencrypted photo albums and to be cautious of apps with unclear provenance, even on official app stores.

The post Kaspersky Uncovers New Malware Stealing Crypto Wallets via Mobile Photos appeared first on Coindoo.

---

Filed under: Bitcoin - @ June 24, 2025 11:21 am