Kaspersky’s cybersecurity researchers have discovered a new and dangerous malware strain that they believe has been active since at least February 2024.
The malware, known as Sparkkitty, is part of the Sparkcat Family, a series of Trojan horse programs designed to steal cryptocurrencies from unsuspecting users. Kaspersky first discovered the original SparkCat malware in January 2025, noting that it has entered the Google Play Store and Apple’s App Store.
Scammers tricked Tiktok users into using AI video to download malware
Like many Trojans, these malicious applications masquerade as legitimate software. In the cryptocurrency world, this can be particularly risky. Researchers say that one such Android app SOEX serves as a messaging platform with cryptocurrency trading capabilities. They said it downloaded more than 10,000 times on Google Play before being tagged. Kaspersky researchers found a similar app in the iOS app store, as well as a modified version of the Tiktok app, which poses real.
Mixable light speed
Sparkkitty is specially designed to access users’ photo gallery. The reason is that many encrypted users have screenshots of their recovery phrases (recovery phrases required to restore access to the wallet) and store them in the camera volume. By extracting these images, it is possible for an attacker to fully access the victim’s encrypted account.
Malware like Sparkkitty is designed to scan images that may be valuable to an attacker. But, according to Kapersky’s detailed report on Secure List, with the more targeted ex SparkCat, Sparkkitty isn’t particularly selective — it scooped a large number of images and sent it back to the attacker, regardless of the content.
While the main problem remains the theft of crypto wallet recovery phrases, wider access to user photo gallery opens doors to other risks, including potential ransomware using sensitive or private images. That is, there seems to be no evidence that the stolen images have been used for ransomware or similar programs.
Kaspersky reported that the malware campaign was targeted primarily at users in Southeast Asia and China. Most of the infected apps are masquerading as Chinese gambling games, Tiktok clones and adult entertainment apps, all of which are tailored to users in these regions.
